CVE-2026-27590 affects the Caddy web server platform, specifically its FastCGI path splitting logic prior to version 2.11.1. The vulnerability stems from the way Caddy processes request paths containing PHP files. The server converts the request path to lowercase using strings.ToLower() to determine the split index for SCRIPT_NAME and PATH_INFO, but this transformation can change the byte length of UTF-8 encoded Unicode characters. Consequently, the byte index used to slice the original path becomes incorrect, leading to path confusion. This means that a request containing '.php' might be mapped to a different on-disk file than intended. In scenarios where an attacker can upload or control file contents, this flaw can be exploited to execute arbitrary code by tricking the server into interpreting non-PHP files as PHP scripts. The vulnerability does not require any authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 8.9, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. The issue is addressed in Caddy 2.11.1 by correcting the path splitting logic to properly handle Unicode characters without altering byte indices.

This vulnerability poses a significant risk to organizations running vulnerable versions of Caddy server, especially those using FastCGI with PHP. Successful exploitation can lead to remote code execution, allowing attackers to run arbitrary code on the server, potentially leading to full system compromise. This can result in data breaches, service disruption, and unauthorized access to sensitive information. Because no authentication or user interaction is needed, the attack surface is broad. Organizations that allow file uploads or have web applications that accept user-controlled files are particularly at risk, as attackers can upload malicious payloads disguised as non-PHP files but executed as PHP due to path confusion. The impact extends to confidentiality, integrity, and availability of affected systems, making this a critical concern for web hosting providers, SaaS platforms, and enterprises relying on Caddy for web services.

1. Upgrade all Caddy server instances to version 2.11.1 or later immediately to apply the official fix. 2. Review and restrict file upload functionalities to prevent unauthorized or unvalidated file uploads, especially disallowing upload of files that could be interpreted as executable scripts. 3. Implement strict input validation and sanitization on all user-supplied data, particularly request paths and filenames. 4. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious FastCGI requests or path traversal attempts. 5. Monitor server logs for anomalous requests containing Unicode characters or unusual path patterns that could indicate exploitation attempts. 6. Consider isolating FastCGI processes and running them with least privilege to limit potential damage from exploitation. 7. Conduct regular security audits and penetration tests focusing on Unicode handling and path parsing logic in web servers. 8. Educate developers and administrators about Unicode normalization issues and their security implications to prevent similar vulnerabilities in custom code.