Description
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
Published: 2026-06-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

From Caddy version 2.4.0 through 2.11.3, the authorization system and the /config traversal subsystem interpret request paths differently. The authorization layer uses string prefix matching to determine an allowed config object, while the /config traversal layer parses array indices numerically using strconv.Atoi(). Consequently, a path that is authorized for one configuration object can resolve to a different object during traversal, allowing an attacker to read or modify configuration data that should not be accessible. This breach is an input validation flaw (CWE-187), an authorization bypass (CWE-863), and can also be interpreted as a path traversal issue (CWE-551). The vulnerability is fixed in Caddy 2.11.3.

Affected Systems

The affected product is Caddy from the caddyserver organization. All Caddy releases from version 2.4.0 up to 2.11.2 are impacted. Operating systems or deployment methods are not further specified in the advisory.

Risk and Exploitability

The CVSS score of 5.4 and an EPSS score of less than 1% indicate a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. This flaw allows a remote attacker who can send HTTP requests to the /config endpoint to bypass authorization controls, potentially read or modify sensitive configuration data, and traverse configuration paths that should not be accessible. Based on the description, it is inferred that the /config API is normally restricted to trusted networks. The attack requires access to the /config endpoint and exploits the mismatch between the authorization layer and the traversal layer to obtain or alter configuration objects.

Generated by OpenCVE AI on July 14, 2026 at 01:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Caddy 2.11.3 or later to enforce consistent configuration path handling.
  • Ensure the /config API is only reachable from trusted networks or behind authentication by configuring firewalls or reverse‑proxy authentication.
  • If upgrading is not immediately possible, block the /config endpoint from untrusted networks using firewall rules or proxy settings to reduce exposure.

Generated by OpenCVE AI on July 14, 2026 at 01:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x5w9-xh9r-mvfc Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
History

Thu, 09 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
Title Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
Weaknesses CWE-187
CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:16:37.211Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45692

cve-icon Vulnrichment

Updated: 2026-06-26T18:15:48.785Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T17:55:11Z

Links: CVE-2026-45692 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T01:45:03Z

Weaknesses
  • CWE-187

    Partial String Comparison

  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

  • CWE-863

    Incorrect Authorization