{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27588", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.450Z", "datePublished": "2026-02-24T16:28:28.106Z", "dateUpdated": "2026-02-27T20:47:36.164Z"}, "containers": {"cna": {"title": "Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "lang": "en", "description": "CWE-178: Improper Handling of Case Sensitivity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8"}, {"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"version": "< 2.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:28:28.106Z"}, "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue."}], "source": {"advisory": "GHSA-x76f-jf84-rqj8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:47:27.256996Z", "id": "CVE-2026-27588", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:47:36.164Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27588", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:47:27.256996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:47:32.069Z"}}], "cna": {"title": "Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass", "source": {"advisory": "GHSA-x76f-jf84-rqj8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"status": "affected", "version": "< 2.11.1"}]}], "references": [{"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8", "name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-178", "description": "CWE-178: Improper Handling of Case Sensitivity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:28:28.106Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27588", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:47:36.164Z", "dateReserved": "2026-02-20T17:40:28.450Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T16:28:28.106Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "F0DAFEB2-036C-42D4-9AEF-F962268F5873", "versionEndExcluding": "2.11.1", "versionStartIncluding": "2.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue."}], "id": "CVE-2026-27588", "lastModified": "2026-02-25T17:10:48.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T17:29:04.163", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "caddy", "source": "cna", "vendor": "caddyserver"}, "product": "caddy", "vendor": "caddyserver"}], "analysis": {"en": {"generated_at": "2026-04-18T17:44:18.550243+00:00", "value": {"mitigation_remediation": ["Upgrade Caddy to version 2.11.1 or later, which restores case\u2011insensitive matching for host lists of any size.", "If an upgrade cannot be performed immediately, restructure the host configuration to keep the number of host entries at or below 100, thereby preventing the case\u2011sensitivity issue.", "Implement a web application firewall rule or proxy filter that normalizes incoming Host headers or rejects requests with atypical casing patterns to mitigate potential bypass attempts."], "summary": {"action": "Patch promptly", "impact": "Host\u2011based route and authorization bypass, allowing unauthorized request handling"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of Caddy server (caddyserver caddy) running versions prior to 2.11.1. Any configuration that lists more than 100 host entries is vulnerable, regardless of operating system or deployment method.", "description_and_impact": "The vulnerability causes Caddy\u2019s HTTP host matcher to become case\u2011sensitive when configured with more than a hundred host entries, contrary to its documentation of being case\u2011insensitive. This issue is an instance of CWE\u2011178, improper case handling. As a result, an attacker can craft a Host header that differs only in letter casing from an expected value, causing the request to be directed to a different route or to bypass access controls tied to the intended route. This enables unauthorized access or manipulation of requests that would normally be restricted, effectively granting elevated privileges or unauthorized data exposure.", "risk_and_exploitability": "The assessment assigns a CVSS v3 score of 7.7, indicating a high severity with potential for privilege escalation and data compromise. The EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Exploitation would require remote network access to the Caddy instance and the ability to send HTTP requests with a manipulated Host header; no local privilege or additional authentication is required. The attack vector is therefore external to the server, using standard network protocols."}}}}, "created": "2026-02-25T11:38:40.576749+00:00", "updated": "2026-04-18T17:45:06.066939+00:00", "vendors": ["caddyserver", "caddyserver$PRODUCT$caddy"]}