Caddy Server Caddy Web Server HTTP / HTTPS Server

Caddy FastCGI Path Split Unicode Bug (v<2.11.1) Leading to Path Confusion
CVE-2026-27590 - February 24, 2026

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.

Improper Input Validation

Caddy: Admin API /load Config Injection Pre2.11.1
CVE-2026-27589 - February 24, 2026

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.

Session Riding

Caddy HTTP Host Matcher Casesensitivity Bypass (2.11.1)
CVE-2026-27588 - February 24, 2026

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.

Improper Handling of Case Sensitivity

Caddy Path Matcher case-insensitive bug (pre-2.11.1)
CVE-2026-27587 - February 24, 2026

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.

Improper Handling of Case Sensitivity

Caddy mTLS Auth Silent Fail Before v2.11.1
CVE-2026-27586 - February 24, 2026

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.

Improper Handling of Exceptional Conditions

Caddy Path Sanitization Bypass via Backslashes (v<2.11.1)
CVE-2026-27585 - February 24, 2026

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

Improper Input Validation

Caddy GeoIP Middleware <0.6.0: X-Forwarded-For Spoofing
CVE-2023-50463 6.5 - Medium - December 10, 2023

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

Authentication Bypass by Spoofing

HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

Caddy v2.4.6 Open Redirect Vulnerability
CVE-2022-28923 6.1 - Medium - February 06, 2023

Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.

Open Redirect

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1
CVE-2022-34037 7.5 - High - July 22, 2022

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request URI caused the server to return an empty reply instead of a valid HTTP response to the client.

Out-of-bounds Read

Caddy v2.4 was discovered to contain an open redirect vulnerability
CVE-2022-29718 6.1 - Medium - June 02, 2022

Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.

Open Redirect

Caddy before 0.10.13 mishandles TLS client authentication
CVE-2018-21246 - June 15, 2020

Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames
CVE-2018-19148 3.7 - Low - November 10, 2018

Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in the Host header) permit full enumeration of all certificates on the server. This generally permits an attacker to easily and accurately discover the existence of and relationships among hostnames that weren't meant to be public, though this information could likely have been discovered via other methods with additional effort.

Information Disclosure