CVE-2026-27588: Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
Caddy’s HTTP host request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the Host header.
References
- github.com/advisories/GHSA-x76f-jf84-rqj8
- github.com/caddyserver/caddy
- github.com/caddyserver/caddy/commit/eec32a0bb5a11651c6a7b04ce82dc50610f2b27e
- github.com/caddyserver/caddy/releases/tag/v2.11.1
- github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8
- nvd.nist.gov/vuln/detail/CVE-2026-27588
Code Behaviors & Features
Detect and mitigate CVE-2026-27588 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →