2442407 – (CVE-2026-27586) CVE-2026-27586 github.com/caddyserver/caddy/v2/modules/caddytls: Caddy: Authentication bypass via mTLS client certificate validation failure

Bug 2442407 (CVE-2026-27586) - CVE-2026-27586 github.com/caddyserver/caddy/v2/modules/caddytls: Caddy: Authentication bypass via mTLS client certificate validation failure

Summary: CVE-2026-27586 github.com/caddyserver/caddy/v2/modules/caddytls: Caddy: Authe...

Keywords:
Status:	NEW
Alias:	CVE-2026-27586
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2442430 2442431 2442432 2442433
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-24 17:04 UTC by OSIDB Bzimport
Modified:	2026-02-24 19:21 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-24 17:04:56 UTC

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.

Note You need to log in before you can comment on or make changes to this bug.