CVE-2026-27585 - Vulnerability Analysis
MediumCVSS: 6.5Last Updated: February 25, 2026
Caddy - Path Traversal
Published: February 24, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable
Overview
Caddy < 2.11.1 contains a path traversal caused by improper sanitization of backslashes in the file matcher path sanitization routine, letting attackers bypass path-related security protections, exploit requires specific environment configurations.
Severity & Score
Severity: Medium
CVSS Score: 6.5
Impact
Attackers can bypass path-related security protections, potentially accessing unauthorized files or directories.
Mitigation
Upgrade to version 2.11.1 or later.
References
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398
- https://github.com/caddyserver/caddy/releases/tag/v2.11.1
- https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
Related Resources
Details
- CVE ID
- CVE-2026-27585
- Severity
- Medium
- CVSS Score
- 6.5
- Type
- path_traversal
- Status
- confirmed
CWE
- CWE-20
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N