Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27587 is a vulnerability in Caddy server versions prior to 2.11.1 related to how HTTP request paths are matched. The server's path matcher is supposed to be case-insensitive, but when the match pattern contains percent-escape sequences (like %xx), it compares the request's escaped path without converting it to lowercase. This inconsistency allows an attacker to bypass path-based routing and any access controls tied to those routes by changing the casing of the request path's percent-encoded segments."}, {'type': 'paragraph', 'content': "For example, if a route is configured to block access to '/admin%2Fpanel', a request to '/admin%2Fpanel' will be blocked, but a request to '/ADMIN%2Fpanel' will bypass the block and be allowed. This happens because the matching logic treats the escaped path case-sensitively in this scenario, contrary to the intended case-insensitive behavior."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized access by allowing attackers to bypass path-based routing and access controls that rely on percent-encoded path patterns. If your deployment uses such patterns to protect sensitive endpoints, an attacker can manipulate the casing of the request path to circumvent these protections.'}, {'type': 'list_item', 'content': 'Bypass of route-based access controls.'}, {'type': 'list_item', 'content': 'Potential unauthorized access to sensitive endpoints.'}, {'type': 'list_item', 'content': "Compromise of security assumptions in applications relying on Caddy's path matching."}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing if the Caddy server's path-based routing or access controls using percent-encoded path patterns are bypassable by changing the casing of the request path."}, {'type': 'paragraph', 'content': 'A practical detection method is to send HTTP requests to protected paths with percent-encoded segments in different casing variations and observe if access controls are bypassed.'}, {'type': 'paragraph', 'content': 'For example, if the server blocks access to `/admin%2Fpanel`, try sending requests to `/admin%2Fpanel` and `/ADMIN%2Fpanel` and compare the responses.'}, {'type': 'paragraph', 'content': 'Suggested commands using curl to test this behavior:'}, {'type': 'list_item', 'content': 'curl -i http://your-caddy-server/admin%2Fpanel # Expected to be blocked (e.g., HTTP 403)'}, {'type': 'list_item', 'content': 'curl -i http://your-caddy-server/ADMIN%2Fpanel # If allowed (e.g., HTTP 200), vulnerability exists'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Caddy to version 2.11.1 or later, where this vulnerability is fixed.

Until the upgrade can be performed, consider avoiding the use of percent-encoded path patterns for access control or implement additional access control mechanisms that do not rely solely on path matching.

Additionally, monitor and log requests with unusual casing in percent-encoded paths to detect potential exploitation attempts.

Useful 0 Not Useful 0