CVE-2026-45135: CWE-20: Improper Input Validation in caddyserver caddy
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3.
AI Analysis
Technical Summary
CVE-2026-45135 affects Caddy server versions 2.7.0 through 2.11.3 in the FastCGI transport module. The splitPos() function misuses golang.org/x/text/search with search.IgnoreCase when processing request paths containing non-ASCII bytes. This leads to two distinct flaws in fallback logic that can mislead Caddy into treating non-.php or other configured split_path extension files as executable scripts. In deployments where attackers can upload or place files served via FastCGI, this can be exploited to achieve remote code execution by crafting specific URLs triggering these flaws. The vulnerability is resolved in Caddy version 2.11.3.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely on the affected server by manipulating request paths to cause improper FastCGI script handling. This impacts confidentiality, integrity, and availability of the server. The CVSS 3.1 base score is 8.1 (High), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring high attack complexity but no privileges or user interaction.
Mitigation Recommendations
A patch is available and the vulnerability is fixed in Caddy version 2.11.3. Users should upgrade to version 2.11.3 or later to remediate this issue. Since this is a cloud-hosted service, the vendor manages remediation for the cloud service; users should verify with the vendor that their cloud instances are updated. No additional mitigations are specified by the vendor advisory.
CVE-2026-45135: CWE-20: Improper Input Validation in caddyserver caddy
Description
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's FastCGI splitting into treating a non-.php (or other configured split_path extension) file as a script. In any deployment where the attacker can place content into a file served via FastCGI (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This vulnerability is fixed in 2.11.3.
CVSS v3.1
Score 8.1high
Affected software
pkg:github/caddyserver/caddyRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45135 affects Caddy server versions 2.7.0 through 2.11.3 in the FastCGI transport module. The splitPos() function misuses golang.org/x/text/search with search.IgnoreCase when processing request paths containing non-ASCII bytes. This leads to two distinct flaws in fallback logic that can mislead Caddy into treating non-.php or other configured split_path extension files as executable scripts. In deployments where attackers can upload or place files served via FastCGI, this can be exploited to achieve remote code execution by crafting specific URLs triggering these flaws. The vulnerability is resolved in Caddy version 2.11.3.
Potential Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code remotely on the affected server by manipulating request paths to cause improper FastCGI script handling. This impacts confidentiality, integrity, and availability of the server. The CVSS 3.1 base score is 8.1 (High), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and requiring high attack complexity but no privileges or user interaction.
Mitigation Recommendations
A patch is available and the vulnerability is fixed in Caddy version 2.11.3. Users should upgrade to version 2.11.3 or later to remediate this issue. Since this is a cloud-hosted service, the vendor manages remediation for the cloud service; users should verify with the vendor that their cloud instances are updated. No additional mitigations are specified by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T20:08:17.209Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a3acbe4eed863c81e6c9a4b
Added to database: 06/23/2026, 18:09:40 UTC
Last enriched: 06/23/2026, 18:24:36 UTC
Last updated: 06/23/2026, 19:45:56 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.