CVE-2026-27590: CWE-20: Improper Input Validation in caddyserver caddy
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
AI Analysis
Technical Summary
CVE-2026-27590 is a vulnerability in the Caddy web server platform, specifically in its FastCGI path splitting logic prior to version 2.11.1. Caddy processes FastCGI requests by splitting the request path to determine SCRIPT_NAME, SCRIPT_FILENAME, and PATH_INFO. The flaw stems from computing the split index on a lowercased copy of the request path using strings.ToLower(), which can change the byte length of UTF-8 characters. Because the index is then applied to the original path, this mismatch can cause incorrect slicing, resulting in path confusion. An attacker can craft requests containing '.php' that cause the server to execute a different file than intended. In environments where attackers can upload or control file contents, this can lead to execution of arbitrary code, effectively remote code execution (RCE). The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 score is 8.9 (high), reflecting the ease of exploitation and severe impact on confidentiality, integrity, and availability. The issue is resolved in Caddy version 2.11.1 by correcting the path splitting logic to avoid relying on lowercased byte indices.
Potential Impact
The vulnerability allows attackers to bypass intended path restrictions and execute arbitrary files as PHP scripts, potentially leading to remote code execution. This compromises the confidentiality, integrity, and availability of affected systems. Organizations running vulnerable Caddy versions with FastCGI and PHP setups are at risk of unauthorized access, data breaches, and full system compromise. The impact is especially severe in environments that allow file uploads or content control by untrusted users, as attackers can upload malicious payloads disguised as non-PHP files but executed as PHP. Exploitation requires no authentication or user interaction, increasing the risk of widespread attacks. This can lead to service disruption, data loss, and lateral movement within networks.
Mitigation Recommendations
1. Upgrade all Caddy server instances to version 2.11.1 or later immediately to apply the fix for this vulnerability. 2. Review and restrict file upload mechanisms to ensure only safe file types are accepted and stored securely, preventing attackers from uploading malicious files. 3. Implement strict input validation and sanitization on all user-supplied data, especially file paths and names. 4. Use web application firewalls (WAFs) to detect and block suspicious FastCGI requests that attempt path manipulation or unusual '.php' execution patterns. 5. Monitor server logs for anomalous requests containing crafted paths or unexpected file executions. 6. Employ least privilege principles for web server and PHP process permissions to limit the impact of any successful exploitation. 7. Conduct regular security audits and penetration testing focusing on FastCGI and file upload components. 8. Consider disabling FastCGI or PHP execution where not required to reduce attack surface.
Affected Countries
United States, Germany, United Kingdom, France, Japan, South Korea, Australia, Canada, Netherlands, Sweden
CVE-2026-27590: CWE-20: Improper Input Validation in caddyserver caddy
Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
AI-Powered Analysis
Technical Analysis
CVE-2026-27590 is a vulnerability in the Caddy web server platform, specifically in its FastCGI path splitting logic prior to version 2.11.1. Caddy processes FastCGI requests by splitting the request path to determine SCRIPT_NAME, SCRIPT_FILENAME, and PATH_INFO. The flaw stems from computing the split index on a lowercased copy of the request path using strings.ToLower(), which can change the byte length of UTF-8 characters. Because the index is then applied to the original path, this mismatch can cause incorrect slicing, resulting in path confusion. An attacker can craft requests containing '.php' that cause the server to execute a different file than intended. In environments where attackers can upload or control file contents, this can lead to execution of arbitrary code, effectively remote code execution (RCE). The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 score is 8.9 (high), reflecting the ease of exploitation and severe impact on confidentiality, integrity, and availability. The issue is resolved in Caddy version 2.11.1 by correcting the path splitting logic to avoid relying on lowercased byte indices.
Potential Impact
The vulnerability allows attackers to bypass intended path restrictions and execute arbitrary files as PHP scripts, potentially leading to remote code execution. This compromises the confidentiality, integrity, and availability of affected systems. Organizations running vulnerable Caddy versions with FastCGI and PHP setups are at risk of unauthorized access, data breaches, and full system compromise. The impact is especially severe in environments that allow file uploads or content control by untrusted users, as attackers can upload malicious payloads disguised as non-PHP files but executed as PHP. Exploitation requires no authentication or user interaction, increasing the risk of widespread attacks. This can lead to service disruption, data loss, and lateral movement within networks.
Mitigation Recommendations
1. Upgrade all Caddy server instances to version 2.11.1 or later immediately to apply the fix for this vulnerability. 2. Review and restrict file upload mechanisms to ensure only safe file types are accepted and stored securely, preventing attackers from uploading malicious files. 3. Implement strict input validation and sanitization on all user-supplied data, especially file paths and names. 4. Use web application firewalls (WAFs) to detect and block suspicious FastCGI requests that attempt path manipulation or unusual '.php' execution patterns. 5. Monitor server logs for anomalous requests containing crafted paths or unexpected file executions. 6. Employ least privilege principles for web server and PHP process permissions to limit the impact of any successful exploitation. 7. Conduct regular security audits and penetration testing focusing on FastCGI and file upload components. 8. Consider disabling FastCGI or PHP execution where not required to reduce attack surface.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-20T17:40:28.450Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699e0f3cbe58cf853b290cdf
Added to database: 2/24/2026, 8:51:08 PM
Last enriched: 2/24/2026, 8:54:33 PM
Last updated: 2/24/2026, 10:59:20 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27593: CWE-640: Weak Password Recovery Mechanism for Forgotten Password in statamic cms
CriticalCVE-2026-27117: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in rikyoz bit7z
MediumCVE-2026-27572: CWE-770: Allocation of Resources Without Limits or Throttling in bytecodealliance wasmtime
MediumCVE-2026-27204: CWE-400: Uncontrolled Resource Consumption in bytecodealliance wasmtime
MediumCVE-2026-27195: CWE-755: Improper Handling of Exceptional Conditions in bytecodealliance wasmtime
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.