CVE-2026-27587

UNKNOWN 0.0

Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.

CWE	CWE-178
Vendor	caddyserver
Product	caddy
Published	Feb 24, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for caddyserver caddy

Be the first to know when new unknown vulnerabilities affecting caddyserver caddy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

caddyserver / caddy

< 2.11.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh github.com: https://github.com/caddyserver/caddy/releases/tag/v2.11.1