Caddy 2.11.4: Windows Auth Bypass via Path Matcher (pre-2.11.4)
CVE-2026-52844 Published on June 23, 2026
Caddy: Windows `file_server` path authorization bypass via encoded backslash
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.
Vulnerability Analysis
CVE-2026-52844 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Types
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-52844 has been classified to as a Directory traversal vulnerability or weakness.
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2026-52844 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2026-52844
Want to know whenever a new CVE is published for Caddy Server Caddy Web Server? stack.watch will email you.
