CVE-2026-27585
- Source
- https://cve.org/CVERecord?id=CVE-2026-27585
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-27585.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-27585
- Aliases
- Downstream
- Published
- 2026-02-24T16:06:05.030Z
- Modified
- 2026-02-25T08:54:46.295148Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections
- Details
-
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27585.json", "cwe_ids": [ "CWE-20" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27585.json
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361
- https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398
- https://github.com/caddyserver/caddy/releases/tag/v2.11.1
- https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
- https://nvd.nist.gov/vuln/detail/CVE-2026-27585
Affected packages
Git / github.com/caddyserver/caddy
Affected versions
v2.*
v2.0.0
v2.0.0-beta.13
v2.0.0-beta.14
v2.0.0-beta.15
v2.0.0-beta.16
v2.0.0-beta.17
v2.0.0-beta.18
v2.0.0-beta.19
v2.0.0-beta.20
v2.0.0-beta1
v2.0.0-beta10
v2.0.0-beta11
v2.0.0-beta12
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-beta4
v2.0.0-beta5
v2.0.0-beta6
v2.0.0-beta7
v2.0.0-beta8
v2.0.0-beta9
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.1.0
v2.1.0-beta.1
v2.1.0-beta.2
v2.1.1
v2.10.0
v2.10.0-beta.1
v2.10.0-beta.2
v2.10.0-beta.3
v2.10.0-beta.4
v2.10.1
v2.10.2
v2.11.0
v2.11.0-beta.1
v2.11.0-beta.2
v2.2.0
v2.2.0-rc.1
v2.2.0-rc.2
v2.2.0-rc.3
v2.2.1
v2.2.3
v2.3.0
v2.3.0-beta.1
v2.3.0-rc.1
v2.3.0-rc.2
v2.4.0
v2.4.0-beta.1
v2.4.0-beta.2
v2.4.0-rc.1
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.5.0-beta.1
v2.5.0-rc.1
v2.5.1
v2.5.2
v2.6.0
v2.6.0-beta.1
v2.6.0-beta.2
v2.6.0-beta.3
v2.6.0-beta.4
v2.6.0-beta.5
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.7.0
v2.7.0-beta.1
v2.7.0-beta.2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.8.0
v2.8.0-beta.1
v2.8.0-beta.2
v2.8.0-rc.1
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.0-beta.1
v2.9.0-beta.2
v2.9.0-beta.3
v2.9.1