Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Published: 2026-02-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of path security
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Caddy's file matcher path sanitization routine, which fails to escape backslashes in glob characters. This flaw falls under CWE-20 and allows crafted requests to bypass the intended directory boundaries. As a result, an attacker could request files outside the served directory, potentially accessing sensitive data.

Affected Systems

Affects users running Caddy versions older than 2.11.1 under configurations that enable the file matcher with glob patterns. The issue is resolved in release 2.11.1; therefore any instance using that version or later is no longer impacted.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity, and the EPSS score (<1%) indicates a low prevalence of exploitation. The vulnerability is not listed in KEV. Attackers could exploit this remotely by sending HTTP requests with backslashes in the URL path to achieve unauthorized file access, provided the server allows such requests and there is no additional authentication barrier. Effectiveness depends on the server's configuration and exposure to external traffic.

Generated by OpenCVE AI on April 17, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Caddy v2.11.1 or later to apply the path sanitization fix.
  • Temporarily disable or restrict the use of glob patterns or backslashes in the file matcher configuration until an upgrade is possible.
  • Verify that the server's URL paths no longer resolve to files outside the intended directory by performing internal path validation tests.

Generated by OpenCVE AI on April 17, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4xrr-hq4w-6vf4 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
History

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 24 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Title Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:17:36.422Z

Reserved: 2026-02-20T17:40:28.450Z

Link: CVE-2026-27585

cve-icon Vulnrichment

Updated: 2026-02-26T21:01:54.212Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T17:29:03.620

Modified: 2026-02-25T17:13:16.240

Link: CVE-2026-27585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses