CVE-2026-27586 affects the caddyserver caddy platform, an extensible web server that uses TLS by default. The vulnerability arises from improper handling of exceptional conditions in the ClientAuthentication.provision() function prior to version 2.11.1. When a private CA certificate file specified by the parameters trusted_ca_cert_file or trusted_ca_certs_pem_files is missing, unreadable, or malformed, two errors are swallowed silently. Instead of failing the server startup or rejecting client certificates, the server falls back to accepting any client certificate signed by any system-trusted CA. This behavior effectively bypasses the private CA trust boundary intended for mutual TLS (mTLS) client authentication. The root causes include file path typos, file rotation, corruption, or permission changes that render the private CA certificate file inaccessible. The server provides no error or warning, making detection difficult. This flaw compromises the authentication mechanism by allowing unauthorized clients trusted by the system's default CAs to connect. The vulnerability has a CVSS 4.0 score of 8.8 (high severity), reflecting its network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. The fix in version 2.11.1 ensures proper error handling and prevents silent fallback, enforcing strict validation of the configured private CA certificates during mTLS setup.

This vulnerability severely undermines the security guarantees of mutual TLS authentication in caddyserver deployments using private CA certificates. Organizations relying on mTLS to restrict client access based on a private CA trust boundary may unknowingly allow any client with a certificate signed by a system-trusted CA to connect, effectively granting unauthorized access. This can lead to unauthorized data access, potential lateral movement within networks, and compromise of sensitive services protected by mTLS. Since the server does not log or alert on the fallback condition, detection is challenging, increasing the risk of prolonged exploitation. The impact spans confidentiality and integrity, as attackers can impersonate legitimate clients and intercept or manipulate communications. Given caddy's popularity as a modern web server and reverse proxy, especially in cloud-native and DevOps environments, the vulnerability could affect a wide range of organizations globally. The lack of known exploits in the wild currently reduces immediate risk, but the high severity and ease of exploitation without authentication make timely patching critical.

Organizations should immediately upgrade caddyserver to version 2.11.1 or later, which contains the fix for this vulnerability. Until upgrading, administrators must verify the accessibility, correctness, and permissions of all private CA certificate files specified in trusted_ca_cert_file and trusted_ca_certs_pem_files to ensure they are present and readable by the server process. Implement monitoring and alerting for file changes, permission modifications, or errors related to these certificate files. Additionally, enable verbose logging for mTLS authentication processes to detect anomalies. Conduct regular audits of client certificate acceptance policies and verify that only intended CAs are trusted. Consider deploying network-level controls to restrict client access and using additional authentication factors where feasible. Finally, integrate this vulnerability check into continuous security assessments and configuration management to prevent recurrence.