VYPR
High severityNVD Advisory· Published Feb 24, 2026· Updated Feb 27, 2026

Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

CVE-2026-27588

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the Host header. Version 2.11.1 contains a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/caddyserver/caddy/v2Go
< 2.11.12.11.1

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.