Bug 2442398 (CVE-2026-27587)

Summary: CVE-2026-27587 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Caddy, an extensible server platform. The HTTP path request matcher, intended to be case-insensitive, incorrectly processes percent-escape sequences. This vulnerability allows a remote attacker to bypass path-based routing and associated access controls by manipulating the casing of percent-escaped characters in the request path. This can lead to unauthorized access to protected resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2442422    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-24 17:04:00 UTC 
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.