CVE-2026-27587
Published: 24 February 2026
Summary
CVE-2026-27587 is a critical-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Caddyserver Caddy. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of the specific flaw in Caddy's case-insensitive path matching with percent-escapes, aligning with the official upgrade to version 2.11.1.
Requires validation and normalization of HTTP path inputs, including proper handling of case sensitivity and percent-decoding, to block bypass attempts via manipulated path casing.
Enables proactive vulnerability scanning to identify the Caddy path matcher flaw (CWE-178), facilitating timely patching before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path matcher case-sensitivity flaw in the public-facing Caddy HTTP server directly enables remote, unauthenticated bypass of access-control rules, matching the definition of T1190 Exploit Public-Facing Application.
NVD Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped…
more
path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
Deeper analysisAI
CVE-2026-27587 affects Caddy, an extensible server platform that uses TLS by default, specifically in versions prior to 2.11.1. The vulnerability lies in the HTTP `path` request matcher, which is intended to perform case-insensitive matching. However, when the match pattern includes percent-escape sequences (`%xx`), it compares against the request's escaped path without lowercasing the pattern. This inconsistency (classified under CWE-178: Improper Handling of Case Sensitivity) enables attackers to bypass path-based routing configurations and associated access controls by manipulating the casing of the request path. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high confidentiality and integrity impacts.
Any unauthenticated attacker with network access to a vulnerable Caddy instance can exploit this flaw remotely with low complexity and no user interaction required. By crafting HTTP requests where the path uses percent-encoded characters and varies the case (e.g., mixing uppercase and lowercase letters in the path), the attacker can evade intended route matching. This allows access to protected resources, potentially exposing sensitive data (high confidentiality impact) or enabling unauthorized modifications (high integrity impact), such as reaching administrative endpoints or private files gated by path-specific rules.
The official mitigation is to upgrade to Caddy version 2.11.1 or later, which includes a fix for proper lowercasing in path matching with percent-escapes. Details are available in the Caddy release notes at https://github.com/caddyserver/caddy/releases/tag/v2.11.1 and the security advisory at https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh, which confirm the patch resolves the bypass without additional workarounds recommended.
Details
- CWE(s)