CVE-2026-27587

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1

Description Caddy’s HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (%xx) it compares against the request's escaped path without lowercasing. This can allow an attacker to bypass path-based routing and any access controls attached to that route by changing the casing of the request path. The issue occurs because r.URL.EscapedPath() is not lowercased, leading to case differences in the request path causing the escaped-space match to fail even though MatchPath is meant to be case-insensitive. An attacker can bypass route restrictions by changing the casing of the request path.

Recommendations Update to Caddy version 2.11.1 or later.