VYPR
High severityNVD Advisory· Published Feb 24, 2026· Updated Feb 27, 2026

Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

CVE-2026-27587

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (%xx) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/caddyserver/caddy/v2Go
< 2.11.12.11.1

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.