CVE-2026-27588 is a vulnerability in the Caddy web server platform, specifically affecting versions prior to 2.11.1. Caddy is known for its extensibility and default use of TLS. The vulnerability arises from an implementation flaw in the HTTP Host request matcher component. According to the documentation, the Host matcher is intended to be case-insensitive, ensuring that host-based routing and access controls function correctly regardless of the case used in the Host header. However, when the server is configured with a large list of host entries (greater than 100), an optimization in the matching algorithm causes it to become case-sensitive. This deviation from expected behavior allows an attacker to manipulate the casing of the Host header in HTTP requests to bypass host-based routing rules and any access controls tied to those routes. For example, if a route is restricted to a specific host, changing the case of the Host header can circumvent these restrictions, potentially exposing sensitive resources or functionality. The vulnerability does not require any authentication or user interaction, and it can be exploited remotely by sending crafted HTTP requests. The CVSS 4.0 base score is 7.7 (high severity), reflecting the ease of exploitation and the significant impact on confidentiality and integrity due to unauthorized access. The issue was addressed and fixed in Caddy version 2.11.1, restoring proper case-insensitive matching regardless of host list size.

This vulnerability can have serious consequences for organizations using vulnerable versions of Caddy with large host configurations. By bypassing host-based routing and access controls, attackers can gain unauthorized access to restricted routes or services, potentially exposing sensitive data or administrative interfaces. This can lead to data breaches, unauthorized configuration changes, or service misuse. Since Caddy is often used as a reverse proxy or web server in various environments, including cloud, enterprise, and hosting providers, the impact can be widespread. The flaw undermines the security assumptions of host-based access control, increasing the risk of lateral movement within networks or exploitation of other vulnerabilities. The lack of required authentication and user interaction makes exploitation straightforward for remote attackers. Although no known exploits are reported in the wild yet, the high severity and ease of exploitation warrant immediate attention. Organizations relying on Caddy for critical web services or multi-tenant hosting are particularly at risk.

To mitigate this vulnerability, organizations should upgrade all Caddy server instances to version 2.11.1 or later, where the issue is fixed. If immediate upgrading is not feasible, administrators should consider reducing the number of host entries to fewer than 100 to avoid triggering the case-sensitive matching path, though this is a temporary and less reliable workaround. Additionally, implementing strict monitoring and logging of HTTP Host headers can help detect suspicious casing variations indicative of exploitation attempts. Network-level controls such as Web Application Firewalls (WAFs) can be configured to normalize Host headers or block requests with unusual casing patterns. Reviewing and tightening access controls beyond host-based routing, such as IP whitelisting or authentication mechanisms, can provide defense in depth. Regular security audits and penetration testing should verify that host-based routing and access controls behave as expected. Finally, organizations should stay informed about updates from the Caddy project and apply security patches promptly.