CVE-2026-27587 Overview
CVE-2026-27587 is an authorization bypass vulnerability in Caddy, an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (%xx) it compares against the request's escaped path without lowercasing. This flaw allows an attacker to bypass path-based routing and any access controls attached to that route by simply changing the casing of the request path.
Critical Impact
Attackers can bypass authentication and authorization controls by manipulating URL path casing, potentially gaining unauthorized access to protected resources and administrative endpoints.
Affected Products
- Caddyserver Caddy versions prior to 2.11.1
- Deployments using path-based access control with percent-encoded patterns
- Web applications relying on Caddy's path matcher for security enforcement
Discovery Timeline
- 2026-02-24 - CVE-2026-27587 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27587
Vulnerability Analysis
This vulnerability falls under CWE-178 (Improper Handling of Case Sensitivity), affecting the path matching logic in Caddy's HTTP request handling. The core issue stems from inconsistent case handling when percent-escape sequences are present in URL patterns.
Caddy's path matcher is designed to perform case-insensitive comparisons for routing decisions. However, when a route pattern includes percent-encoded characters (such as %2F for / or %20 for space), the comparison logic fails to normalize the case of both the pattern and the incoming request path. This creates a discrepancy where an attacker can craft requests with altered character casing to evade pattern matching entirely.
The vulnerability is exploitable over the network without authentication, making it particularly dangerous for deployments that rely solely on path-based access controls for protecting sensitive endpoints.
Root Cause
The root cause lies in the path matching implementation that processes percent-escape sequences. When these sequences are present in route configurations, the matching function compares the escaped path directly without performing case normalization. This violates the expected case-insensitive behavior and creates a security gap.
The issue specifically affects scenarios where:
- Route patterns contain percent-encoded characters
- Access control decisions depend on path matching
- Case-insensitive matching is assumed by administrators
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying protected endpoints that use path-based access controls
- Analyzing the URL pattern to determine if percent-encoding is involved
- Crafting requests with alternative casing (e.g., /Admin instead of /admin or /PROTECTED%2Fresource instead of /protected%2Fresource)
- Bypassing the access control to reach protected resources
For example, if a Caddy configuration protects /api%2Fadmin with authentication requirements, an attacker could potentially access it using /API%2FADMIN or /Api%2FAdmin, as the case-insensitive comparison fails when percent-escape sequences are present.
Detection Methods for CVE-2026-27587
Indicators of Compromise
- Unusual URL patterns in access logs with mixed or unexpected casing
- Access to protected resources without corresponding authentication events
- HTTP requests containing percent-encoded sequences with non-standard casing
- Spike in 200 responses for typically protected endpoints
Detection Strategies
- Review Caddy access logs for requests to sensitive paths with unusual casing variations
- Implement web application firewall (WAF) rules to detect case manipulation attempts on protected paths
- Monitor for authentication bypass patterns where protected endpoints are accessed without valid credentials
- Deploy anomaly detection for URL path patterns that deviate from normal application behavior
Monitoring Recommendations
- Enable detailed access logging in Caddy to capture full request paths including query strings
- Configure alerting for access to administrative or sensitive endpoints from unexpected sources
- Implement centralized log analysis to correlate access patterns across multiple Caddy instances
- Regularly audit access control configurations for patterns containing percent-encoded characters
How to Mitigate CVE-2026-27587
Immediate Actions Required
- Upgrade Caddy to version 2.11.1 or later immediately
- Review all route configurations for patterns containing percent-escape sequences
- Audit access logs for potential exploitation attempts prior to patching
- Implement additional authentication layers for critical endpoints as defense-in-depth
Patch Information
The vulnerability has been addressed in Caddy version 2.11.1. Organizations should upgrade to this version or later to remediate the issue. The fix ensures proper case normalization when comparing paths containing percent-escape sequences.
For detailed patch information, refer to the GitHub Caddy Release v2.11.1 and the GitHub Security Advisory GHSA-g7pc-pc7g-h8jh.
Workarounds
- Avoid using percent-escape sequences in path matcher patterns where possible
- Implement additional authentication mechanisms at the application layer rather than relying solely on Caddy's path matching
- Use explicit case-sensitive matching with both upper and lower case variants defined
- Deploy a reverse proxy or WAF in front of Caddy to normalize request paths before they reach the server
# Example: Verify Caddy version after upgrade
caddy version
# Should output v2.11.1 or higher
# Reload Caddy configuration after upgrade
caddy reload --config /etc/caddy/Caddyfile
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
