CVE-2026-27587 is a vulnerability in the Caddy web server platform, specifically in versions prior to 2.11.1. Caddy uses an HTTP path request matcher that is designed to be case-insensitive to improve routing flexibility. However, when the match pattern includes percent-escape sequences (e.g., %xx encoding), the matcher compares the request's escaped path without converting it to lowercase. This improper handling of case sensitivity (CWE-178) allows an attacker to craft HTTP requests with altered casing in the percent-encoded path segments to bypass path-based routing rules and any associated access controls. Since Caddy uses TLS by default and is often deployed as a reverse proxy or web server, this bypass can expose sensitive endpoints or resources that rely on path-based restrictions for security. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on integrity due to unauthorized access. Although no known exploits are currently reported in the wild, the flaw presents a significant risk to organizations using vulnerable Caddy versions. The issue was addressed in Caddy 2.11.1 by ensuring consistent case normalization of percent-encoded paths during matching.

The primary impact of this vulnerability is unauthorized bypass of path-based routing and access controls, potentially exposing sensitive web resources or administrative interfaces. This can lead to unauthorized data access, modification, or service manipulation, compromising the integrity and confidentiality of affected systems. Organizations relying on Caddy for secure web hosting or reverse proxying may face increased risk of targeted attacks exploiting this flaw. Since Caddy is often used in cloud environments, microservices architectures, and DevOps pipelines, the vulnerability could affect a wide range of deployments globally. The ease of exploitation without authentication or user interaction increases the threat level. Although no availability impact is directly indicated, unauthorized access can facilitate further attacks that degrade service. The vulnerability could also undermine compliance with security policies and regulations requiring strict access controls.

Organizations should upgrade all Caddy server instances to version 2.11.1 or later, where the vulnerability is fixed. Until upgrades can be applied, administrators can implement strict input validation and normalization at upstream firewalls or web application firewalls (WAFs) to detect and block suspicious percent-encoded path variants with unusual casing. Reviewing and hardening path-based routing rules to avoid reliance solely on case-insensitive matching of percent-encoded sequences is recommended. Monitoring server logs for anomalous requests with mixed-case percent-encoding can help detect exploitation attempts. Additionally, applying defense-in-depth by enforcing authentication and authorization at the application layer, rather than relying solely on path-based controls, reduces risk. Regular vulnerability scanning and patch management processes should be enhanced to promptly identify and remediate such issues.