CVE-2026-27586

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1

Description Caddy, an extensible server platform that uses TLS by default, has an issue where mTLS client certificate authentication can silently fail open under certain conditions. Specifically, if a CA certificate file is missing, unreadable, or malformed, the server starts without error but accepts any client certificate signed by any system-trusted CA, bypassing the intended private CA trust boundary. This occurs because errors in the ClientAuthentication.provision() function are swallowed, preventing the server from recognizing the misconfiguration. The issue affects deployments using trusted ca cert file or trusted ca certs pem files for mTLS. The root cause lies in incorrect error handling within the provision() method in modules/caddytls/connpolicy.go, where return nil should be return err on lines 787 and 800. A proof-of-concept demonstrates that a client can successfully connect with any certificate, even a self-signed one, when the CA file is nonexistent.

Recommendations Versions prior to 2.11.1 should be updated to version 2.11.1 or later to resolve this issue.