CVE-2026-27588

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1

Description Caddy’s HTTP host request matcher is documented as case-insensitive, but becomes case-sensitive when configured with a large host list (more than 100 entries) due to an optimized matching path. An attacker can bypass host-based routing and any access controls associated with that route by altering the casing of the Host header. This is a route/auth bypass in Caddy’s request-matching layer. Internet-exposed Caddy deployments relying on host matchers with large host lists to protect routes can be bypassed by changing the case of the Host header, potentially allowing unauthorized access to sensitive endpoints. The affected component is the MatchHost matcher, specifically the MatchHost.MatchWithError function. The vulnerability occurs because the matcher uses a case-sensitive string comparison when the host list exceeds 100 entries. The Host header is a standard HTTP request header used to identify the requested resource.

Recommendations Update to Caddy version 2.11.1 or later.