CVE-2026-27590 Overview
CVE-2026-27590 is a path confusion vulnerability in Caddy, an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because strings.ToLower() can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect SCRIPT_NAME/SCRIPT_FILENAME and PATH_INFO, potentially causing a request that contains .php to execute a different on-disk file than intended.
Critical Impact
In setups where an attacker can control file contents (e.g., upload features), this vulnerability can lead to unintended PHP execution of non-.php files, potentially resulting in Remote Code Execution (RCE) depending on deployment configuration.
Affected Products
- Caddyserver Caddy versions prior to 2.11.1
- Caddy deployments using FastCGI with PHP backends
- FrankenPHP deployments using affected Caddy versions
Discovery Timeline
- 2026-02-24 - CVE-2026-27590 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27590
Vulnerability Analysis
This vulnerability stems from an improper input validation issue (CWE-20) in Caddy's FastCGI path splitting mechanism. The core problem lies in how Caddy handles Unicode characters during path processing. When a request path contains certain Unicode characters, the strings.ToLower() function in Go can produce a string with a different byte length than the original. This byte length discrepancy creates a mismatch between the computed split index and the actual path structure.
The practical impact is that Caddy may incorrectly calculate where to split the path for determining SCRIPT_NAME, SCRIPT_FILENAME, and PATH_INFO FastCGI variables. This path confusion can cause the server to execute a different file than what the URL path appears to reference.
Root Cause
The root cause is the unsafe handling of Unicode byte lengths during path splitting operations. The vulnerability occurs because:
- Caddy performs path splitting calculations on a lowercased copy of the request path
- The strings.ToLower() function can alter UTF-8 byte length for certain characters (such as specific Turkish or German characters)
- The calculated byte index is then applied to the original path, which may have different byte boundaries
- This mismatch results in incorrect path splitting and script filename derivation
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker can craft malicious HTTP requests containing specific Unicode characters in the path that exploit the byte length discrepancy. The attack scenario typically involves:
- Uploading a malicious file with non-.php extension to the server (e.g., through an upload feature)
- Crafting a request with Unicode characters that causes path confusion
- Manipulating the request so that the intended .php script execution instead triggers execution of the uploaded malicious file
The vulnerability requires the attacker to have some ability to control file contents on the server, such as through upload functionality, making it dependent on specific deployment configurations. However, when exploitable, the impact can be severe, potentially allowing Remote Code Execution on the affected server.
Detection Methods for CVE-2026-27590
Indicators of Compromise
- Unusual HTTP requests containing non-standard Unicode characters in PHP-related paths
- Web server logs showing discrepancies between requested paths and executed scripts
- Unexpected PHP execution of files with non-.php extensions
- Upload directories containing files with suspicious content despite non-executable extensions
Detection Strategies
- Monitor web server access logs for requests containing unusual Unicode character sequences targeting FastCGI endpoints
- Implement anomaly detection for path patterns that include multibyte Unicode characters followed by .php extensions
- Review file execution logs for PHP processes that execute files outside expected script directories
- Deploy Web Application Firewall (WAF) rules to detect and block requests with suspicious Unicode path manipulation attempts
Monitoring Recommendations
- Enable verbose logging for FastCGI module operations in Caddy
- Set up alerts for file execution events from upload directories or user-writable locations
- Monitor for unusual process spawning patterns from the web server process
- Implement file integrity monitoring on directories accessible via web requests
How to Mitigate CVE-2026-27590
Immediate Actions Required
- Upgrade Caddy to version 2.11.1 or later immediately
- Review server configurations to identify deployments using FastCGI with PHP backends
- Audit file upload functionality to ensure uploaded files cannot be executed as PHP scripts
- Implement strict file type validation on upload endpoints to prevent malicious file uploads
Patch Information
Caddyserver has released version 2.11.1 which addresses this vulnerability. The fix ensures proper handling of Unicode byte lengths during path splitting operations. Administrators should upgrade to this version as soon as possible. For detailed information about the patch, refer to the Caddy Release v2.11.1 and the GitHub Security Advisory.
Workarounds
- Restrict file upload functionality to prevent users from uploading files with arbitrary content
- Configure the web server to only execute PHP files from specific, restricted directories that are not writable by upload processes
- Implement strict input validation on request paths to reject or sanitize unusual Unicode character sequences
- Use separate storage locations for uploaded files that are not accessible via FastCGI execution paths
# Configuration example - Restrict PHP execution to specific directories only
# In Caddyfile, ensure php_fastcgi is only configured for trusted script paths
example.com {
root * /var/www/html
# Only allow PHP execution from specific directories
@php_allowed path /app/*.php /scripts/*.php
php_fastcgi @php_allowed unix//run/php/php-fpm.sock
# Ensure uploads directory cannot execute PHP
handle /uploads/* {
file_server
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
