{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27587", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.450Z", "datePublished": "2026-02-24T16:26:40.222Z", "dateUpdated": "2026-02-27T20:48:09.775Z"}, "containers": {"cna": {"title": "Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "lang": "en", "description": "CWE-178: Improper Handling of Case Sensitivity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh"}, {"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"version": "< 2.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:26:40.222Z"}, "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue."}], "source": {"advisory": "GHSA-g7pc-pc7g-h8jh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:47:59.330355Z", "id": "CVE-2026-27587", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:48:09.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27587", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:47:59.330355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:48:06.400Z"}}], "cna": {"title": "Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass", "source": {"advisory": "GHSA-g7pc-pc7g-h8jh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"status": "affected", "version": "< 2.11.1"}]}], "references": [{"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh", "name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178: Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:26:40.222Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27587", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:48:09.775Z", "dateReserved": "2026-02-20T17:40:28.450Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T16:26:40.222Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0DAFEB2-036C-42D4-9AEF-F962268F5873", "versionEndExcluding": "2.11.1", "versionStartIncluding": "2.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue."}], "id": "CVE-2026-27587", "lastModified": "2026-02-25T17:11:25.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T17:29:03.953", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "caddy", "source": "cna", "vendor": "caddyserver"}, "product": "caddy", "vendor": "caddyserver"}], "analysis": {"en": {"generated_at": "2026-04-16T16:23:33.079778+00:00", "value": {"mitigation_remediation": ["Update Caddy to version 2.11.1 or later to apply the fix for case\u2011normalization in percent\u2011encoded paths", "If upgrading immediately is not feasible, block or filter requests containing percent\u2011escaped paths that differ only in case using a reverse proxy or firewall rule", "Ensure that any custom routing or authorization logic explicitly validates the canonical form of the path before granting access"], "summary": {"action": "Apply Update", "impact": "Route and Authorization Bypass via case\u2010sensitive URL handling"}, "threat_synthesis": {"affected_systems": "The vulnerability affects servers running Caddy server platform version 2.11.0 and earlier. The issue was addressed and fixed in release 2.11.1, as noted by the Caddy developers.", "description_and_impact": "Caddy versions prior to 2.11.1 contain an error in the HTTP path request matcher: percent\u2011escaped segments are compared without case normalization. This flaw allows an attacker to alter the casing of a path in the request URL so that the server treats the request as matching a different route. The result is that path\u2011based routing logic and any access controls tied to that route can be bypassed, potentially granting unauthorized access to protected resources or services.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.7 and an EPSS probability of less than 1\u202f%, indicating a low probability of exploitation but still high impact if used. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a crafted HTTP request containing a percent\u2011escaped path with altered casing; no elevated privileges or local access are required. The attack is therefore remote and can be executed simply by targeting the exposed HTTP interface."}}}}, "created": "2026-02-25T11:38:41.374020+00:00", "updated": "2026-04-16T16:30:15.938141+00:00", "vendors": ["caddyserver", "caddyserver$PRODUCT$caddy"]}