Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026
Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections
CVE-2026-27585
Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/caddyserver/caddy/v2Go | < 2.11.1 | 2.11.1 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/caddyserver/caddy/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 2.11.1+ 1 more
- (no CPE)range: < 2.11.1
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: < 2.11.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-4xrr-hq4w-6vf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27585ghsaADVISORY
- caddyserver.com/docs/caddyfile/directivesghsaWEB
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.goghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.goghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/releases/tag/v2.11.1ghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4535ghsaWEB
News mentions
0No linked articles in our index yet.