Vulnerability Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Caddyserver | Caddy | < 2.11.1 |
Related Weaknesses (CWE)
References
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58cProduct
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58cProduct
- https://github.com/caddyserver/caddy/releases/tag/v2.11.1Release Notes
- https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4ExploitVendor Advisory
FAQ
What is CVE-2026-27585?
CVE-2026-27585 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path re...
How severe is CVE-2026-27585?
CVE-2026-27585 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27585?
Check the references section above for vendor advisories and patch information. Affected products include: Caddyserver Caddy.