CVE-2026-45692
Undergoing Analysis Undergoing Analysis - In Progress
Authorization Bypass via Path Traversal in Caddy

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-45692
EUVD
EUVD-2026-38559
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
caddy server to 2.11.3 (inc)
caddyserver caddy From 2.4.0 (inc) to 2.11.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability enables unauthorized read and write access to configuration elements in Caddy's remote admin API, breaking least-privilege policies.

Such unauthorized access could lead to improper handling or exposure of sensitive data or system configurations, potentially impacting compliance with standards like GDPR or HIPAA that require strict access controls and data protection.

Executive Summary

CVE-2026-45692 is an authorization bypass vulnerability in the Caddy server's remote admin API. The issue arises because the authorization layer and the configuration traversal layer interpret array indices in the API path differently. Specifically, the authorization layer uses string prefix matching, while the traversal layer parses numeric array indices using a numeric conversion function. This mismatch allows an attacker with access to one array element path to manipulate the path by adding leading zeros, thereby accessing or modifying different array elements that they are not authorized to access.

For example, a client authorized to access `/config/apps/http/servers/srv/routes/0` could access `/config/apps/http/servers/srv/routes/01`, which the traversal layer interprets as index 1, effectively bypassing authorization restrictions.

This vulnerability affects Caddy versions from 2.4.0 up to 2.11.3 and was fixed in version 2.11.3.

Impact Analysis

This vulnerability can allow an attacker to bypass authorization controls and gain unauthorized read and write access to configuration elements in the Caddy server. This breaks the principle of least privilege by enabling access to configuration objects that should be restricted.

Such unauthorized access could lead to unauthorized changes in server configuration, potentially impacting server behavior, security settings, or exposing sensitive information.

Detection Guidance

This vulnerability can be detected by testing the Caddy remote admin API for authorization bypass attempts involving numeric array indices in the /config API path.

Specifically, you can attempt to access or modify configuration array elements by appending leading zeros to the index in the path, for example, accessing /config/apps/http/servers/srv/routes/01 when only /config/apps/http/servers/srv/routes/0 is authorized.

Commands or scripts that send HTTP requests to the Caddy admin API with such manipulated paths and observe if unauthorized access or modifications are allowed can help detect this vulnerability.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Caddy to version 2.11.3 or later, where the issue has been fixed.

Until the upgrade can be applied, restrict access to the remote admin API to trusted users only, and monitor for suspicious requests that attempt to exploit numeric array index manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45692. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart