Description
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
Published: 2026-06-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

From Caddy version 2.4.0 through 2.11.3, the authorization system and the /config traversal subsystem interpret request paths differently. The authorization layer uses string prefix matching to determine an allowed config object, while the /config traversal layer parses array indices numerically using strconv.Atoi(). Consequently, a path that is authorized for one configuration object can resolve to a different object during traversal, allowing an attacker to read or modify configuration data that should not be accessible. This breach is an input validation flaw (CWE‑187) and an authorization bypass (CWE‑863). The vulnerability is fixed in Caddy 2.11.3.

Affected Systems

The affected product is Caddy from the caddyserver organization. All Caddy releases from version 2.4.0 up to but excluding 2.11.3 are impacted. Operating systems or deployment methods are not further specified in the advisory.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. No EPSS value is available, so the likelihood of exploitation cannot be quantified from the advisory. The issue is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. The attack vector is inferred to be remote, requiring the ability to send HTTP requests to the /config endpoint, which is typically accessible only from trusted networks.

Generated by OpenCVE AI on June 24, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the installed Caddy instance to version 2.11.3 or later.
  • Review the configuration to ensure the /config API is only exposed to trusted networks and enforce strict access controls.
  • Implement logging and monitoring for unauthenticated or unexpected configuration access attempts to detect potential exploitation.

Generated by OpenCVE AI on June 24, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x5w9-xh9r-mvfc Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
History

Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
Title Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
Weaknesses CWE-187
CWE-863
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:55:11.317Z

Reserved: 2026-05-13T04:38:01.164Z

Link: CVE-2026-45692

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:30:14Z

Weaknesses