CVE-2026-27588
Published: 24 February 2026
Summary
CVE-2026-27588 is a critical-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Caddyserver Caddy. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the case-sensitivity flaw in Caddy's HTTP host matcher for large lists, preventing Host header manipulation to bypass routing and access controls.
Enforces information flow control policies using host attributes, mitigating bypass of host-based routing via inconsistent case handling in the Host header.
Monitors system activity to identify exploitation attempts through anomalous Host header casing patterns in HTTP requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Caddy web server allows direct bypass of host-based routing and access controls via crafted Host header casing, enabling unauthorized access to restricted endpoints.
NVD Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an…
more
optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Deeper analysisAI
CVE-2026-27588 affects Caddy, an extensible server platform that uses TLS by default, in versions prior to 2.11.1. The vulnerability stems from the HTTP `host` request matcher, which is documented as case-insensitive but becomes case-sensitive when configured with a large host list exceeding 100 entries due to an optimized matching path. This inconsistency, classified under CWE-178 (Improper Handling of Case Sensitivity), enables attackers to bypass host-based routing and associated access controls by manipulating the casing of the `Host` header. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity with high impacts on confidentiality and integrity.
Any unauthenticated remote attacker with network access can exploit this vulnerability by crafting HTTP requests with altered casing in the `Host` header, such as changing "example.com" to "Example.com" when the configuration expects a specific case. This allows evasion of intended routing logic, potentially granting access to restricted routes, sensitive endpoints, or resources protected by host-specific access controls. Exploitation requires no privileges, user interaction, or special conditions beyond a large host list in the Caddy configuration, making it straightforward in misconfigured deployments.
The Caddy security advisory (GHSA-x76f-jf84-rqj8) and release notes for version 2.11.1 detail the fix, which restores consistent case-insensitive matching regardless of host list size. Security practitioners should upgrade to Caddy 2.11.1 or later to mitigate the issue, review configurations with large host lists for exposure, and monitor `Host` header patterns in access logs for signs of bypass attempts.
Details
- CWE(s)