Caddy Path Matcher case-insensitive bug (pre-2.11.1)
CVE-2026-27587 Published on February 24, 2026
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
Weakness Type
Improper Handling of Case Sensitivity
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Products Associated with CVE-2026-27587
Want to know whenever a new CVE is published for Caddy Server Caddy Web Server? stack.watch will email you.
Affected Versions
caddyserver caddy Version < 2.11.1 is affected by CVE-2026-27587Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.