Caddy FastCGI SplitPos RCE via non-ASCII Path (2.7-2.11.3)
CVE-2026-45135 Published on June 23, 2026
Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3.
Vulnerability Analysis
CVE-2026-45135 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-45135. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Improper Handling of Unicode Encoding
The software does not properly handle when an input contains Unicode encoding.
Improper Handling of Case Sensitivity
The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Products Associated with CVE-2026-45135
Want to know whenever a new CVE is published for Caddy Server Caddy Web Server? stack.watch will email you.
