CVE-2026-27590

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/caddyserver/caddy/releases/tag/v2.11.1	Release Notes
https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g	Exploit Vendor Advisory
https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-24 17:29

Updated : 2026-02-25 17:07

NVD link : CVE-2026-27590

Mitre link : CVE-2026-27590

CVE.ORG link : CVE-2026-27590

JSON object : View

Products Affected

caddyserver

caddy

CWE

CWE-20

Improper Input Validation

CWE-180

Incorrect Behavior Order: Validate Before Canonicalize

{"id": "CVE-2026-27590", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T17:29:04.493", "references": [{"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/php/frankenphp/security/advisories/GHSA-g966-83w7-6w38", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-180"}]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue."}, {"lang": "es", "value": "Caddy es una plataforma de servidor extensible que utiliza TLS por defecto. Antes de la versi\u00f3n 2.11.1, la l\u00f3gica de divisi\u00f3n de rutas FastCGI de Caddy calcula el \u00edndice de divisi\u00f3n en una copia en min\u00fasculas de la ruta de la solicitud y luego utiliza ese \u00edndice de bytes para segmentar la ruta original. Esto no es seguro para Unicode porque `strings.ToLower()` puede cambiar la longitud de bytes UTF-8 para algunos caracteres. Como resultado, Caddy puede derivar un `SCRIPT_NAME`/`SCRIPT_FILENAME` y `PATH_INFO` incorrectos, lo que podr\u00eda causar que una solicitud que contiene .php ejecute un archivo en disco diferente al previsto (confusi\u00f3n de rutas). En configuraciones donde un atacante puede controlar el contenido de los archivos (por ejemplo, funciones de carga), esto puede llevar a la ejecuci\u00f3n no intencionada de PHP de archivos que no son .php (RCE potencial dependiendo de la implementaci\u00f3n). La versi\u00f3n 2.11.1 corrige el problema."}], "lastModified": "2026-02-25T17:07:09.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9AD1B432-AFA3-4A05-A687-F6092CDB6498", "versionEndExcluding": "2.11.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}