CVE-2026-45692

NameCVE-2026-45692
DescriptionCaddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
caddy (PTS)bookworm2.6.2-5vulnerable
trixie2.6.2-12vulnerable
forky, sid2.11.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
caddysource(unstable)(unfixed)

Notes

https://github.com/caddyserver/caddy/security/advisories/GHSA-x5w9-xh9r-mvfc
Search for package or bug name: Reporting problems