CVE-2026-27585 is a vulnerability in the Caddy web server platform, identified as CWE-20 (Improper Input Validation). The issue arises from the path sanitization routine within Caddy's file matcher component, which fails to sanitize backslash characters ('\') in file paths. This flaw exists in all Caddy versions prior to 2.11.1. Because backslashes are not properly handled, attackers can craft specially formed requests that bypass path-related security controls, potentially allowing unauthorized access to files or directories outside the intended scope. This can lead to information disclosure or unauthorized file retrieval. The vulnerability is exploitable remotely without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on integrity (VI:H) but no impact on confidentiality or availability. The vulnerability is fixed in Caddy version 2.11.1 by enhancing the path sanitization logic to properly handle backslashes, closing the bypass vector. No public exploits have been reported yet, but the vulnerability's nature makes it a candidate for exploitation in environments where Caddy is used as a web server or reverse proxy with file serving enabled and path sanitization relied upon for security.

The vulnerability can lead to unauthorized access to files or directories that should be protected by path sanitization mechanisms, potentially exposing sensitive information or configuration files. This can compromise the integrity of the server by allowing attackers to read or manipulate files outside the intended directory scope. Since the attack requires no authentication or user interaction and can be performed remotely, it poses a significant risk to internet-facing Caddy servers. Organizations using vulnerable versions of Caddy in production environments, especially those serving sensitive content or acting as reverse proxies, may face data breaches or further exploitation chains. The impact is primarily on integrity and confidentiality, with no direct availability impact. The moderate CVSS score reflects the ease of exploitation combined with the potential for significant unauthorized access. Failure to patch could lead to targeted attacks against organizations relying on Caddy for secure file serving or web hosting.

1. Upgrade all Caddy server instances to version 2.11.1 or later immediately to ensure the path sanitization routine properly handles backslashes. 2. Review and audit any custom configurations or plugins that interact with file paths to ensure they do not rely solely on Caddy's sanitization and implement additional input validation if necessary. 3. Implement strict access controls and file system permissions to limit the impact of any potential path traversal or bypass attempts. 4. Monitor web server logs for suspicious requests containing backslashes or unusual path patterns that could indicate exploitation attempts. 5. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal or malformed path requests targeting Caddy servers. 6. Conduct regular security assessments and penetration testing focusing on path traversal and input validation weaknesses in your web infrastructure. 7. Educate development and operations teams about the importance of input validation and patch management to prevent similar vulnerabilities.