CVE-2026-45135
Undergoing Analysis Undergoing Analysis - In Progress
FastCGI Path Traversal in Caddy Server

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-45135
EUVD
EUVD-2026-38560
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
caddyserver caddy From 2.7.0 (inc) to 2.10.2 (inc)
caddyserver caddy 2.11.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-176 The product does not properly handle when an input contains Unicode encoding.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Caddy's FastCGI module allows remote code execution by bypassing file extension checks through unsafe Unicode handling. This can lead to unauthorized execution of scripts and potential compromise of the server hosting sensitive data.

Such a compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

If exploited, this vulnerability could lead to data breaches or unauthorized data manipulation, thereby violating requirements for data confidentiality, integrity, and security mandated by these regulations.

Executive Summary

The CVE-2026-45135 vulnerability affects Caddy's FastCGI module, specifically the splitPos() function that parses file extensions in request paths. It mishandles Unicode characters when processing non-ASCII bytes using golang.org/x/text/search with search.IgnoreCase. This causes two flaws: first, the function may incorrectly treat a non-PHP file as a PHP script by retaining a stale match value; second, Unicode lookalike characters can bypass extension checks due to compatibility decomposition and case folding beyond ASCII. An attacker who can place files in a FastCGI-served directory can craft URLs that exploit these flaws to trick Caddy into executing non-script files as scripts.

This vulnerability allows remote code execution (RCE) without authentication by exploiting the FastCGI upstream (e.g., PHP-FPM). It affects Caddy versions from 2.7.0 to 2.10.2 and was fixed in version 2.11.3 by removing the problematic fallback and treating any non-ASCII byte as a non-match.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on your server. If an attacker can upload or place files in directories served via FastCGI, they can craft URLs that cause Caddy to treat non-script files as executable scripts, potentially allowing them to run arbitrary code.

Such an exploit can lead to full system compromise, data theft, service disruption, or further attacks within your network, all without requiring authentication.

Detection Guidance

This vulnerability involves crafted URLs with non-ASCII or Unicode lookalike characters in the request path that cause Caddy's FastCGI module to misinterpret file extensions. Detection involves monitoring HTTP requests for suspicious URL patterns that include non-ASCII bytes or Unicode characters resembling '.php' or other configured script extensions.

You can detect potential exploitation attempts by searching your web server logs for requests containing unusual Unicode characters or non-ASCII bytes in file extensions.

  • Use grep or similar tools to find requests with suspicious Unicode or non-ASCII characters in URLs, for example:
  • grep -P '[\x80-\xFF]' access.log
  • grep -iE '(%EF%BC%8E|%EF%B9%92|%EF%B9%93|%EF%B9%94|%EF%B9%95|%EF%B9%96|%EF%B9%97|%EF%B9%98|%EF%B9%99|%EF%B9%9A|%EF%B9%9B|%EF%B9%9C|%EF%B9%9D|%EF%B9%9E|%EF%B9%9F|%EF%B9%A0|%EF%B9%A1|%EF%B9%A2|%EF%B9%A3|%EF%B9%A4|%EF%B9%A5|%EF%B9%A6|%EF%B9%A7|%EF%B9%A8|%EF%B9%A9|%EF%B9%AA|%EF%B9%AB|%EF%B9%AC|%EF%B9%AD|%EF%B9%AE|%EF%B9%AF|%EF%B9%B0|%EF%B9%B1|%EF%B9%B2|%EF%B9%B3|%EF%B9%B4|%EF%B9%B5|%EF%B9%B6|%EF%B9%B7|%EF%B9%B8|%EF%B9%B9|%EF%B9%BA|%EF%B9%BB|%EF%B9%BC|%EF%B9%BD|%EF%B9%BE|%EF%B9%BF|%EF%BD%90%EF%BD%88%EF%BD%90)' access.log

These commands look for non-ASCII bytes and Unicode characters that could be used to bypass extension checks.

Mitigation Strategies

The primary mitigation is to upgrade Caddy to version 2.11.3 or later, where the vulnerability is fixed by removing the unsafe Unicode handling fallback in the FastCGI module.

Until you can upgrade, consider restricting or disabling FastCGI handling for user-uploaded or untrusted files, especially those with non-ASCII or suspicious file extensions.

Additionally, monitor and block HTTP requests containing suspicious Unicode or non-ASCII characters in URLs that could exploit this flaw.

Review your file upload and storage policies to prevent attackers from placing crafted files in directories served by FastCGI.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart