Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Published: 2026-02-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Host‑based route and authorization bypass, allowing unauthorized request handling
Action: Patch promptly
AI Analysis

Impact

The vulnerability causes Caddy’s HTTP host matcher to become case‑sensitive when configured with more than a hundred host entries, contrary to its documentation of being case‑insensitive. This issue is an instance of CWE‑178, improper case handling. As a result, an attacker can craft a Host header that differs only in letter casing from an expected value, causing the request to be directed to a different route or to bypass access controls tied to the intended route. This enables unauthorized access or manipulation of requests that would normally be restricted, effectively granting elevated privileges or unauthorized data exposure.

Affected Systems

The issue affects all installations of Caddy server (caddyserver caddy) running versions prior to 2.11.1. Any configuration that lists more than 100 host entries is vulnerable, regardless of operating system or deployment method.

Risk and Exploitability

The assessment assigns a CVSS v3 score of 7.7, indicating a high severity with potential for privilege escalation and data compromise. The EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Exploitation would require remote network access to the Caddy instance and the ability to send HTTP requests with a manipulated Host header; no local privilege or additional authentication is required. The attack vector is therefore external to the server, using standard network protocols.

Generated by OpenCVE AI on April 18, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Caddy to version 2.11.1 or later, which restores case‑insensitive matching for host lists of any size.
  • If an upgrade cannot be performed immediately, restructure the host configuration to keep the number of host entries at or below 100, thereby preventing the case‑sensitivity issue.
  • Implement a web application firewall rule or proxy filter that normalizes incoming Host headers or rejects requests with atypical casing patterns to mitigate potential bypass attempts.

Generated by OpenCVE AI on April 18, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x76f-jf84-rqj8 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 24 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Title Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
Weaknesses CWE-178
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:47:36.164Z

Reserved: 2026-02-20T17:40:28.450Z

Link: CVE-2026-27588

cve-icon Vulnrichment

Updated: 2026-02-27T20:47:32.069Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T17:29:04.163

Modified: 2026-02-25T17:10:48.980

Link: CVE-2026-27588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses