CVE-2026-27585

NameCVE-2026-27585
DescriptionCaddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
caddy (PTS)bookworm2.6.2-5vulnerable
trixie2.6.2-12vulnerable
sid2.6.2-14vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
caddysource(unstable)(unfixed)

Notes

https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
Search for package or bug name: Reporting problems