Caddy HTTP Host Matcher Casesensitivity Bypass (2.11.1)
CVE-2026-27588 Published on February 24, 2026
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Weakness Type
Improper Handling of Case Sensitivity
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Products Associated with CVE-2026-27588
Want to know whenever a new CVE is published for Caddy Server Caddy Web Server? stack.watch will email you.
Affected Versions
caddyserver caddy Version < 2.11.1 is affected by CVE-2026-27588Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.