Home

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

PUBLISHED Reserved 2026-02-20 | Published 2026-02-24 | Updated 2026-02-24 | Assigner GitHub_M




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Problem types

CWE-20: Improper Input Validation

Product status

< 2.11.1
affected

References

github.com/.../caddy/security/advisories/GHSA-4xrr-hq4w-6vf4

github.com/...b58ca0/modules/caddyhttp/fileserver/matcher.go

github.com/...b58ca0/modules/caddyhttp/fileserver/matcher.go

github.com/caddyserver/caddy/releases/tag/v2.11.1

cve.org (CVE-2026-27585)

nvd.nist.gov (CVE-2026-27585)

Download JSON