CVE-2026-52844
Undergoing Analysis Undergoing Analysis - In Progress
Path Traversal in Caddy Web Server

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-52844
EUVD
EUVD-2026-38557
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
caddy caddy 2.11.4
caddyserver caddy to 2.11.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an unauthenticated remote attacker to bypass path-based authorization restrictions and gain unauthorized access to sensitive files such as credentials, backups, or configuration files within protected directories.

Such unauthorized access to sensitive data can lead to a high confidentiality loss, which may result in non-compliance with data protection standards and regulations like GDPR and HIPAA that require strict access controls and protection of personal or sensitive information.

Therefore, if exploited, this vulnerability could cause organizations using affected Caddy versions to fail compliance requirements related to data confidentiality and access control.

Executive Summary

CVE-2026-52844 is a high-severity vulnerability in the Caddy server on Windows platforms. It occurs because Caddy's path matchers treat backslashes in URLs differently than the file system does. Specifically, a path like /private\secret.txt is considered outside the protected /private/* directory by the path matcher, but the file_server component resolves it as a file inside the protected directory on disk. This inconsistency allows an unauthenticated remote attacker to bypass path-based authorization and access files that should be restricted.

The root cause is the inconsistent handling of path separators: Caddy's route matchers use URL path semantics (forward slashes), while the Windows filesystem uses backslashes. Attackers exploit this by sending requests with encoded backslashes to access sensitive files within protected directories.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive files within protected directories on a Caddy server running on Windows. An attacker can bypass authentication and authorization controls designed to restrict access to certain paths, potentially exposing confidential information such as credentials, backups, or configuration files.

The impact is primarily a high confidentiality loss, as attackers can read files they should not have access to. However, it does not allow attackers to traverse outside the configured site root or cause integrity or availability damage.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests that contain encoded backslashes (%5c) in paths that should be protected, such as requests to paths like /private%5csecret.txt.

You can use network traffic inspection tools or web server logs to identify such suspicious requests attempting to bypass path-based authorization.

For example, using command-line tools like grep on access logs to find requests with %5c in the URL path:

  • grep "%5c" /path/to/caddy/access.log

Alternatively, using network packet capture tools like tcpdump or Wireshark to filter HTTP requests containing %5c in the URI can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Caddy to version 2.11.4 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, consider implementing additional access controls or filters to block requests containing encoded backslashes (%5c) in URLs to prevent bypassing path-based authorization.

Also, review your Caddy configuration to ensure that path matchers and file_server directives are properly aligned and consider normalizing or rejecting requests with backslashes before authorization checks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52844. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart