CVE-2026-27585 MEDIUM

CVE-2026-27585: Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections

Vendor Caddyserver
Product caddy
Weakness CWE-20 · Input validation
Published February 24, 2026
Last update February 26, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

Key dates

02Disclosure timeline

February 24, 2026 CVE published
February 26, 2026 Record updated