Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 26, 2026
Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections
CVE-2026-27585
Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/caddyserver/caddy/v2Go | < 2.11.1 | 2.11.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-4xrr-hq4w-6vf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27585ghsaADVISORY
- caddyserver.com/docs/caddyfile/directivesghsaWEB
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.goghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.goghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/releases/tag/v2.11.1ghsax_refsource_MISCWEB
- github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4535ghsaWEB
News mentions
0No linked articles in our index yet.