CVE-2026-27585: Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
(updated )
The path sanitization in file matcher doesn’t sanitize backslashes which can lead to bypassing path related security protections.
References
- caddyserver.com/docs/caddyfile/directives
- github.com/advisories/GHSA-4xrr-hq4w-6vf4
- github.com/caddyserver/caddy
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go
- github.com/caddyserver/caddy/releases/tag/v2.11.1
- github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
- nvd.nist.gov/vuln/detail/CVE-2026-27585
- pkg.go.dev/vuln/GO-2026-4535
Code Behaviors & Features
Detect and mitigate CVE-2026-27585 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →