CVE-2026-45135
Analyzed Analyzed - Analysis Complete

FastCGI Path Traversal in Caddy Server

Vulnerability report for CVE-2026-45135, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-26
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
caddyserver caddy From 2.7.0 (inc) to 2.11.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-176 The product does not properly handle when an input contains Unicode encoding.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-45135 vulnerability affects Caddy's FastCGI module, specifically the splitPos() function that parses file extensions in request paths. It mishandles Unicode characters when processing non-ASCII bytes using golang.org/x/text/search with search.IgnoreCase. This causes two flaws: first, the function may incorrectly treat a non-PHP file as a PHP script by retaining a stale match value; second, Unicode lookalike characters can bypass extension checks due to compatibility decomposition and case folding beyond ASCII. An attacker who can place files in a FastCGI-served directory can craft URLs that exploit these flaws to trick Caddy into executing non-script files as scripts.

This vulnerability allows remote code execution (RCE) without authentication by exploiting the FastCGI upstream (e.g., PHP-FPM). It affects Caddy versions from 2.7.0 to 2.10.2 and was fixed in version 2.11.3 by removing the problematic fallback and treating any non-ASCII byte as a non-match.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on your server. If an attacker can upload or place files in directories served via FastCGI, they can craft URLs that cause Caddy to treat non-script files as executable scripts, potentially allowing them to run arbitrary code.

Such an exploit can lead to full system compromise, data theft, service disruption, or further attacks within your network, all without requiring authentication.

Detection Guidance

This vulnerability involves crafted URLs with non-ASCII or Unicode lookalike characters in the request path that cause Caddy's FastCGI module to misinterpret file extensions. Detection involves monitoring HTTP requests for suspicious URL patterns that include non-ASCII bytes or Unicode characters resembling '.php' or other configured script extensions.

You can detect potential exploitation attempts by searching your web server logs for requests containing unusual Unicode characters or non-ASCII bytes in file extensions.

  • Use grep or similar tools to find requests with suspicious Unicode or non-ASCII characters in URLs, for example:
  • grep -P '[\x80-\xFF]' access.log
  • grep -iE '(%EF%BC%8E|%EF%B9%92|%EF%B9%93|%EF%B9%94|%EF%B9%95|%EF%B9%96|%EF%B9%97|%EF%B9%98|%EF%B9%99|%EF%B9%9A|%EF%B9%9B|%EF%B9%9C|%EF%B9%9D|%EF%B9%9E|%EF%B9%9F|%EF%B9%A0|%EF%B9%A1|%EF%B9%A2|%EF%B9%A3|%EF%B9%A4|%EF%B9%A5|%EF%B9%A6|%EF%B9%A7|%EF%B9%A8|%EF%B9%A9|%EF%B9%AA|%EF%B9%AB|%EF%B9%AC|%EF%B9%AD|%EF%B9%AE|%EF%B9%AF|%EF%B9%B0|%EF%B9%B1|%EF%B9%B2|%EF%B9%B3|%EF%B9%B4|%EF%B9%B5|%EF%B9%B6|%EF%B9%B7|%EF%B9%B8|%EF%B9%B9|%EF%B9%BA|%EF%B9%BB|%EF%B9%BC|%EF%B9%BD|%EF%B9%BE|%EF%B9%BF|%EF%BD%90%EF%BD%88%EF%BD%90)' access.log

These commands look for non-ASCII bytes and Unicode characters that could be used to bypass extension checks.

Mitigation Strategies

The primary mitigation is to upgrade Caddy to version 2.11.3 or later, where the vulnerability is fixed by removing the unsafe Unicode handling fallback in the FastCGI module.

Until you can upgrade, consider restricting or disabling FastCGI handling for user-uploaded or untrusted files, especially those with non-ASCII or suspicious file extensions.

Additionally, monitor and block HTTP requests containing suspicious Unicode or non-ASCII characters in URLs that could exploit this flaw.

Review your file upload and storage policies to prevent attackers from placing crafted files in directories served by FastCGI.

Compliance Impact

The vulnerability in Caddy's FastCGI module allows remote code execution by bypassing file extension checks through unsafe Unicode handling. This can lead to unauthorized execution of scripts and potential compromise of the server hosting sensitive data.

Such a compromise could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

If exploited, this vulnerability could lead to data breaches or unauthorized data manipulation, thereby violating requirements for data confidentiality, integrity, and security mandated by these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart