Caddy: Windows `file_server` path authorization bypass via encoded backslash
Description
On Windows, Caddy's path matchers fail to normalize backslashes, allowing unauthenticated attackers to bypass path-scoped access controls via encoded backslash in the request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
On Windows, Caddy's path matchers fail to normalize backslashes, allowing unauthenticated attackers to bypass path-scoped access controls via encoded backslash in the request.
Vulnerability
On Windows, Caddy's path matcher (MatchPath.MatchWithError()) compares the raw URL path without normalizing backslashes (\) to forward slashes (/). Consequently, a request containing an encoded backslash (e.g., /private%5csecret.txt) is not matched by a route pattern such as /private/*. The file_server handler later resolves the same path using SanitizedPathJoin(), which on Windows treats the backslash as a directory separator, enabling access to files inside the protected directory [1][2]. This vulnerability affects all Caddy versions on Windows prior to a patch, including the current HEAD at the time of disclosure.
Exploitation
An unauthenticated remote attacker sends an HTTP request with an encoded backslash (%5c) in the path, for example GET /private%5csecret.txt. No authentication or special network access is required beyond the ability to reach the Caddy server. The attacker does not need user interaction or any additional privileges. The only condition is that the server uses a path matcher to restrict access to a directory and also serves files via file_server [1][2].
Impact
Successful exploitation allows an attacker to bypass path-scoped authorization or denial rules (e.g., a respond @private 403 directive) and retrieve arbitrary files from the protected directory via the file_server. The outcome is information disclosure of sensitive content that should have been blocked. No code execution or file write is achieved [1][2].
Mitigation
As of the advisory publication date (2026-06-16), no official fix has been released. The vulnerability exists in all Caddy versions on Windows. Until a patch is available, administrators should avoid relying solely on path matchers in front of file_server on Windows, or implement additional authentication and validation layers. A fix for the underlying normalization mismatch is expected in a future Caddy release [1][2].
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 1.0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Caddy's `MatchPath` does not normalize backslash (`\`) to forward slash (`/`) in the request URL path, while `file_server` on Windows treats backslash as a filesystem path separator, creating an authorization bypass."
Attack vector
An unauthenticated remote attacker sends a GET request with a URL-encoded backslash (`%5c` or `%5C`) in the path, e.g. `/private%5csecret.txt`. Caddy's `path` matcher (`MatchPath`) evaluates `r.URL.Path` using URL path semantics and does not treat `\` as a separator, so the request does not match the `/private/*` pattern and the route's auth/deny handler is skipped. The `file_server` then calls `SanitizedPathJoin()` which, on Windows, treats `\` as a path separator, resolving the request to the file `private\secret.txt` on disk and serving it.
Affected code
The vulnerability arises from a mismatch between `MatchPath.MatchWithError()` in `modules/caddyhttp/matchers.go` (lines 429, 436, 490, 532) which compares `r.URL.Path` using URL path semantics without normalizing `\` to `/`, and `file_server`'s `SanitizedPathJoin()` in `modules/caddyhttp/fileserver/staticfiles.go:294` and `modules/caddyhttp/caddyhttp.go:257,263`, which later resolves the same path on Windows where `\` is treated as a filesystem separator (`internal/filesystems/os.go:18`).
What the fix does
The advisory recommends normalizing Windows path separators consistently before `MatchPath` evaluates request paths, or rejecting request paths containing `\` before `file_server` resolves them as filesystem separators. The key invariant is that a request path used for route authorization must not later resolve to a different protected filesystem path. No patch has been published at the time of this advisory.
Preconditions
- configCaddy must be running on a Windows host
- configThe Caddyfile must use a `path` matcher (e.g. `@private path /private/*`) with a scoped handler (e.g. `respond @private 403` or `basic_auth`) before a `file_server` directive
- networkThe attacker must be able to send HTTP requests to the Caddy server
- inputThe request path must contain a URL-encoded backslash (`%5c` or `%5C`)
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.