CVE-2026-27590
Unicode Path Confusion in Caddy FastCGI Enables Potential RCE
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| caddyserver | caddy | to 2.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-180 | The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in Caddy's FastCGI path splitting logic used to determine SCRIPT_NAME, SCRIPT_FILENAME, and PATH_INFO for PHP requests. The problem arises because Caddy computes the split index on a lowercased copy of the request path but then uses that index to slice the original path string. This is unsafe for Unicode characters since lowercasing can change the UTF-8 byte length of some characters, causing the byte offsets to mismatch."}, {'type': 'paragraph', 'content': "As a result, Caddy can derive incorrect path components, potentially causing a request containing '.php' to execute a different on-disk file than intended. This path confusion can lead to unintended PHP execution of non-.php files, especially in setups where an attacker can control file contents, such as upload features."}, {'type': 'paragraph', 'content': 'The vulnerability is remotely triggerable via crafted URLs and affects all Caddy versions prior to 2.11.0. It was fixed in version 2.11.0.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to path confusion where PHP requests execute unintended files on disk. In environments where an attacker can upload or control file contents, this can result in the execution of non-.php files as PHP scripts.
Such unintended execution can potentially lead to remote code execution (RCE), allowing attackers to run arbitrary code on the server depending on the deployment specifics.
Because the vulnerability is remotely triggerable via crafted URLs, it poses a significant security risk to affected Caddy servers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running a vulnerable version of Caddy prior to 2.11.0, as the issue lies in the FastCGI path splitting logic. Detection involves checking the Caddy server version and monitoring for unusual PHP execution behavior triggered by crafted URLs containing Unicode characters that expand when lowercased.
There are no specific commands provided in the resources to detect exploitation attempts directly on the network or system. However, you can check the Caddy version by running:
- caddy version
Additionally, monitoring web server logs for requests containing unusual Unicode characters or unexpected PHP file executions may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Caddy to version 2.11.0 or later, where the vulnerability has been fixed by correcting the path splitting logic to handle Unicode characters safely.
Until the upgrade can be applied, restrict or disable any features that allow attackers to upload or control file contents, as this is a key factor in exploitation.
Also, consider monitoring and filtering incoming requests for suspicious Unicode payloads that could trigger the vulnerability.