Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27588 is a vulnerability in the Caddy server platform's HTTP host request matcher. The matcher is supposed to be case-insensitive when matching the Host header in HTTP requests. However, when configured with a large list of hosts (more than 100 entries), the matcher switches to an optimized method that performs case-sensitive comparisons instead of case-insensitive ones."}, {'type': 'paragraph', 'content': 'This means that if an attacker changes the casing of the Host header (for example, from lowercase to uppercase), the matcher fails to recognize the host correctly. As a result, the attacker can bypass host-based routing and any access controls tied to that route, such as authentication or deny rules.'}, {'type': 'paragraph', 'content': 'The issue occurs because the optimized matching path uses a binary search with case-sensitive string equality checks, skipping the fallback case-insensitive checks. This behavior contradicts the documented case-insensitive matching.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to bypass host-based routing and access controls in Caddy servers that use large host lists for protection. Specifically, if your Caddy server uses the MatchHost matcher with more than 100 exact hostnames to protect sensitive routes or endpoints, an attacker can alter the casing of the Host header to gain unauthorized access.

This can lead to unauthorized access to protected resources, such as administrative paths or other sensitive areas, potentially exposing confidential information or allowing malicious actions.

The vulnerability is particularly impactful in multi-tenant environments where host-based access control is critical for isolating tenants or restricting access.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing how your Caddy server handles HTTP Host headers with different casing when configured with a large host list (more than 100 entries). Specifically, you can send HTTP requests to protected routes with the Host header in lowercase and then with the same hostname but different casing (uppercase or mixed case). If the server allows access when the Host header casing is changed, it indicates the vulnerability.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability include using curl to send requests with varying Host header casing to a protected endpoint:'}, {'type': 'list_item', 'content': 'curl -H "Host: example.com" https://your-caddy-server/admin -v'}, {'type': 'list_item', 'content': 'curl -H "Host: EXAMPLE.COM" https://your-caddy-server/admin -v'}, {'type': 'paragraph', 'content': 'If the first request returns a 403 Forbidden response and the second returns a 200 OK response, it confirms the presence of the vulnerability.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade your Caddy server to version 2.11.1 or later, where the vulnerability has been fixed.

The fix involves normalizing exact hostnames to lowercase during the MatchHost provisioning phase and normalizing incoming request Host headers to lowercase before performing the binary search and equality check. This ensures case-insensitive matching regardless of host list size.

Until you can upgrade, consider reducing the size of your host list to fewer than 100 entries if possible, or implement additional access controls that do not rely solely on host-based routing.

Useful 0 Not Useful 0