Description
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Caddy, a TLS‑enabled server platform, suffers a path‑scoping flaw on Windows before version 2.11.4. When a client requests /private\secret.txt, the path matcher interprets the encoded backslash as a literal backslash and treats the request as outside /private/*. However, the file_server module resolves the same path to the local file private\secret.txt. Because path‑based authentication or deny rules apply only to the matcher’s view, an unauthenticated attacker can craft such a request to read files that should be protected. The flaw originates from a mismatch between path normalization (CWE‑22) and authorization enforcement (CWE‑284).

Affected Systems

Caddy servers running on Windows with the file_server module prior to 2.11.4 are affected. The vulnerability exists only on Windows installations, as Linux path semantics do not exhibit the same backslash handling issue. Systems that deploy Caddy with path‑based authentication or deny rules for directories such as /private/* are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. It is not listed in CISA KEV. The EPSS score is not available, so an exact exploitation probability cannot be quantified, but the attack is remote and requires only a crafted HTTP request, with no privileged credentials or user interaction. An attacker can send such a request from outside the network, bypassing path‑based authentication or deny rules and accessing files that should be protected. Because the flaw exists in a widely used module, the likelihood of exploitation is moderate to high for exposed Caddy instances.

Generated by OpenCVE AI on June 24, 2026 at 10:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Caddy to version 2.11.4 or later, which normalizes encoded backslashes and corrects matcher semantics.
  • If an upgrade is not feasible, configure the file_server module to not serve the directories should be protected, or move protected content outside the file_server root. This eliminates the bypass path while allowing static file delivery for other areas.
  • Until a patch or configuration change can be applied, use a reverse‑proxy or firewall rule to reject or block incoming requests that include encoded backslashes for the /private/* paths, preventing exploitation.

Generated by OpenCVE AI on June 24, 2026 at 10:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qrp7-cvwr-j2c6 Caddy: Windows `file_server` path authorization bypass via encoded backslash
History

Tue, 23 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.
Title Caddy: Windows `file_server` path authorization bypass via encoded backslash
Weaknesses CWE-22
CWE-284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T20:06:12.019Z

Reserved: 2026-06-08T18:41:27.724Z

Link: CVE-2026-52844

cve-icon Vulnrichment

Updated: 2026-06-23T20:06:06.864Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:00:13Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-284

    Improper Access Control