Home / Vulnerability Intelligence / CVE-2026-27586

CVE-2026-27586 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: February 25, 2026

Caddy - Authentication Bypass

Published: February 24, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable

Overview

Caddy < 2.11.1 contains a broken authentication caused by swallowed errors in ClientAuthentication.provision() leading to silent mTLS client certificate authentication failure, letting attackers bypass private CA trust boundary, exploit requires misconfigured or missing CA certificate files.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can bypass mTLS authentication, allowing unauthorized access to the server.

Mitigation

Upgrade to version 2.11.1 or later.

References

https://github.com/caddyserver/caddy/releases/tag/v2.11.1
https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7
https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-27586
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: confirmed

CWE

CWE-755

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N