Bug 2442399 (CVE-2026-27590)
| Summary: | CVE-2026-27590 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Remote Code Execution via FastCGI path confusion | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Caddy's FastCGI path splitting logic. This vulnerability arises because the system computes the split index on a lowercased copy of the request path, which can be unsafe for Unicode characters. A remote attacker could exploit this by sending a specially crafted request, leading to path confusion where an unintended file might be executed. In configurations allowing attackers to control file uploads, this could result in the execution of arbitrary code, potentially leading to a complete compromise of the affected system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2442424 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-02-24 17:04:15 UTC
|