CVE-2026-27585

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1

Description The path sanitization routine in Caddy's file matcher does not properly sanitize backslashes, potentially allowing bypass of path-related security protections. This issue affects users with specific Caddy and environment configurations. The vulnerability can be exploited by crafting requests with backslashes in the path, which can bypass reverse proxy protections or other path-based security measures. The try files directive is involved in this issue, and configurations combining blacklisting and serving may be vulnerable if the try files directive and filtering route/handle directives are in the same block. A proof-of-concept demonstrates bypassing an Nginx protection by using a URL-encoded backslash in the path.

Recommendations Update Caddy to version 2.11.1 or later.