CVE-2026-27586

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48	Exploit
https://github.com/caddyserver/caddy/releases/tag/v2.11.1	Release Notes
https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-24 17:29

Updated : 2026-02-25 17:14

NVD link : CVE-2026-27586

Mitre link : CVE-2026-27586

CVE.ORG link : CVE-2026-27586

JSON object : View

Products Affected

caddyserver

caddy

CWE

CWE-755

Improper Handling of Exceptional Conditions

{"id": "CVE-2026-27586", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T17:29:03.793", "references": [{"url": "https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48", "tags": ["Exploit"], "source": "security-advisories@github.com"}, {"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-755"}]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability."}, {"lang": "es", "value": "Caddy es una plataforma de servidor extensible que usa TLS por defecto. Antes de la versi\u00f3n 2.11.1, dos errores silenciados en `ClientAuthentication.provision()` causan que la autenticaci\u00f3n de certificados de cliente mTLS falle silenciosamente en modo abierto cuando un archivo de certificado de CA falta, es ilegible o est\u00e1 malformado. El servidor se inicia sin error pero acepta cualquier certificado de cliente firmado por cualquier CA de confianza del sistema, eludiendo completamente el l\u00edmite de confianza de CA privada previsto. Cualquier despliegue que use `trusted_ca_cert_file` o `trusted_ca_certs_pem_files` para mTLS se degradar\u00e1 silenciosamente para aceptar cualquier certificado de cliente de confianza del sistema si el archivo de CA deja de estar disponible. Esto puede ocurrir debido a un error tipogr\u00e1fico en la ruta, rotaci\u00f3n de archivos, corrupci\u00f3n o cambios de permisos. El servidor no da ninguna indicaci\u00f3n de que mTLS est\u00e1 mal configurado. La versi\u00f3n 2.11.1 corrige la vulnerabilidad."}], "lastModified": "2026-02-25T17:14:19.867", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AD1B432-AFA3-4A05-A687-F6092CDB6498", "versionEndExcluding": "2.11.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}