CVE-2026-27585: Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
The path sanitization in file matcher doesn’t sanitize backslashes which can lead to bypassing path related security protections.
References
- caddyserver.com/docs/caddyfile/directives
- github.com/advisories/GHSA-4xrr-hq4w-6vf4
- github.com/caddyserver/caddy
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go
- github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go
- github.com/caddyserver/caddy/releases/tag/v2.11.1
- github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
- nvd.nist.gov/vuln/detail/CVE-2026-27585
Code Behaviors & Features
Detect and mitigate CVE-2026-27585 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →