GHSA-gx7w-56w6-g48x: Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching

May 19, 2026

Caddy’s remote admin access control performs path authorization using prefix matching:

admin.go: strings.HasPrefix(r.URL.Path, allowedPath)

This allows a client certificate authorized only for /pki/ca/prod to access sibling PKI resources whose paths merely share the same prefix, such as /pki/ca/prod-backup.

This is an authorization bug in Caddy’s source code, not a misconfiguration issue. The configured policy is more restrictive than the behavior that Caddy actually enforces.

References

github.com/advisories/GHSA-gx7w-56w6-g48x
github.com/caddyserver/caddy/security/advisories/GHSA-gx7w-56w6-g48x

Code Behaviors & Features

Detect and mitigate GHSA-gx7w-56w6-g48x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →