CVE-2026-27590
Received Received - Intake
Unicode Path Confusion in Caddy FastCGI Enables Potential RCE

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27590
EUVD
EUVD-2026-8545
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
caddyserver caddy to 2.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-180 The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Caddy's FastCGI path splitting logic used to determine SCRIPT_NAME, SCRIPT_FILENAME, and PATH_INFO for PHP requests. The problem arises because Caddy computes the split index on a lowercased copy of the request path but then uses that index to slice the original path string. This is unsafe for Unicode characters since lowercasing can change the UTF-8 byte length of some characters, causing the byte offsets to mismatch."}, {'type': 'paragraph', 'content': "As a result, Caddy can derive incorrect path components, potentially causing a request containing '.php' to execute a different on-disk file than intended. This path confusion can lead to unintended PHP execution of non-.php files, especially in setups where an attacker can control file contents, such as upload features."}, {'type': 'paragraph', 'content': 'The vulnerability is remotely triggerable via crafted URLs and affects all Caddy versions prior to 2.11.0. It was fixed in version 2.11.0.'}] [1]

Impact Analysis

This vulnerability can lead to path confusion where PHP requests execute unintended files on disk. In environments where an attacker can upload or control file contents, this can result in the execution of non-.php files as PHP scripts.

Such unintended execution can potentially lead to remote code execution (RCE), allowing attackers to run arbitrary code on the server depending on the deployment specifics.

Because the vulnerability is remotely triggerable via crafted URLs, it poses a significant security risk to affected Caddy servers.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by identifying if your system is running a vulnerable version of Caddy prior to 2.11.0, as the issue lies in the FastCGI path splitting logic. Detection involves checking the Caddy server version and monitoring for unusual PHP execution behavior triggered by crafted URLs containing Unicode characters that expand when lowercased.

There are no specific commands provided in the resources to detect exploitation attempts directly on the network or system. However, you can check the Caddy version by running:

  • caddy version

Additionally, monitoring web server logs for requests containing unusual Unicode characters or unexpected PHP file executions may help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Caddy to version 2.11.0 or later, where the vulnerability has been fixed by correcting the path splitting logic to handle Unicode characters safely.

Until the upgrade can be applied, restrict or disable any features that allow attackers to upload or control file contents, as this is a key factor in exploitation.

Also, consider monitoring and filtering incoming requests for suspicious Unicode payloads that could trigger the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27590. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart