Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
Published: 2026-02-24
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential remote code execution through path confusion
Action: Patch
AI Analysis

Impact

Caddy's FastCGI path splitting logic incorrectly uses the index from a lowercased copy of the request path to slice the original path. Because Unicode casefolding can change UTF‑8 byte length, the derived SCRIPT_NAME/PATH_INFO values can be wrong, leading the server to execute an unintended on‑disk file. In setups where attackers can supply file contents, this flaw may allow PHP code execution of non‑.php files, potentially giving remote code execution capabilities where PHP is configured.

Affected Systems

The flaw exists in the open‑source Caddy HTTP/HTTPS server from caddyserver. All versions of Caddy server released before 2.11.1 are affected. The issue only manifests when the FastCGI transport is used, such as when Caddy proxies requests to a PHP interpreter and the server or an upload facility allows an attacker to control the requested path.

Risk and Exploitability

The CVSS score of 8.9 categorizes this vulnerability as high severity, but the EPSS score of less than 1% indicates that exploitation attempts are currently rare. The flaw is not listed in the CISA KEV catalog. Attackers would need to send a crafted HTTP request containing a Unicode path that, when lowercased, changes byte length, and rely on the FastCGI configuration to execute the wrong script. The presence of file upload or dynamic paths increases the likelihood of successful exploitation; otherwise, the risk remains limited to environments that use FastCGI for PHP.

Generated by OpenCVE AI on April 16, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Caddy to version 2.11.1 or a later release that contains the FastCGI path splitting fix.
  • If an upgrade is not immediately possible, limit the usage of FastCGI for paths that can be influenced by unauthenticated users or disable file upload features that allow arbitrary file content.
  • Verify that the FastCGI configuration only proxies safe, statically defined PHP scripts and blocks execution of arbitrary non‑.php files.

Generated by OpenCVE AI on April 16, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5r3v-vc8m-m96g Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 24 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
Title Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport
Weaknesses CWE-180
CWE-20
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:52:00.327Z

Reserved: 2026-02-20T17:40:28.450Z

Link: CVE-2026-27590

cve-icon Vulnrichment

Updated: 2026-02-27T20:51:56.951Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T17:29:04.493

Modified: 2026-02-25T17:07:09.600

Link: CVE-2026-27590

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses