CVE-2026-27587 is a vulnerability in the Caddy web server platform, specifically affecting versions prior to 2.11.1. Caddy's HTTP path request matcher is designed to be case-insensitive to facilitate flexible routing. However, when the path pattern includes percent-escape sequences (e.g., %xx encoding), the matcher compares the request's escaped path without converting it to lowercase. This improper handling of case sensitivity (CWE-178) allows an attacker to craft HTTP requests with altered casing in the percent-encoded segments of the URL path. Because the matcher does not normalize these sequences to lowercase, the attacker can bypass path-based routing rules and any access controls tied to those routes. This bypass can enable unauthorized access to protected resources or functionality. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on integrity. The issue was addressed in Caddy version 2.11.1 by ensuring proper case normalization of percent-encoded path segments during matching. No public exploit code or active exploitation has been reported to date, but the nature of the flaw makes it a significant risk for affected deployments.

The vulnerability allows attackers to circumvent path-based routing and access control mechanisms by manipulating the case of percent-encoded characters in URL paths. This can lead to unauthorized access to sensitive endpoints, potentially exposing confidential data or enabling unauthorized operations. Since Caddy is often used as a TLS-enabled web server and reverse proxy, exploitation could compromise web applications behind it, undermining confidentiality and integrity. The lack of authentication or user interaction requirements makes exploitation straightforward for remote attackers. Organizations relying on vulnerable Caddy versions may face data breaches, service misuse, or further compromise of backend systems. The impact is particularly critical for environments where path-based routing enforces security boundaries or restricts access to administrative or sensitive functions.

Organizations should immediately upgrade all Caddy server instances to version 2.11.1 or later, where the vulnerability is fixed. Until upgrades can be applied, administrators should audit and tighten access control policies to avoid relying solely on path-based routing for security enforcement. Implement additional layers of authentication and authorization checks at the application level to prevent unauthorized access. Monitoring and logging HTTP requests for unusual casing patterns in percent-encoded paths can help detect attempted exploitation. Network-level protections such as web application firewalls (WAFs) can be configured to normalize URL encoding and block suspicious requests. Regularly review and update server software and dependencies to incorporate security patches promptly. Finally, conduct penetration testing focusing on URL encoding edge cases to validate the robustness of routing and access controls.