Alpine: caddy: security update to 2.11.2-r0

critical Tenable Self-Hosted Container Security Plugin ID 439411

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI
path splitting logic computes the split index on a lowercased copy of the request path and then uses that
byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change
UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect
`SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to
execute a different on-disk file than intended (path confusion). In setups where an attacker can control
file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files
(potential RCE depending on deployment). Version 2.11.1 fixes the issue. (CVE-2026-27590)

- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path
sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related
security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1
fixes the issue. (CVE-2026-27585)

- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed
errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail
open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but
accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private
CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS
will silently degrade to accepting any system-trusted client certificate if the CA file becomes
unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes.
The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.
(CVE-2026-27586)

- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP
`path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-
escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker
can bypass path-based routing and any access controls attached to that route by changing the casing of the
request path. Version 2.11.1 contains a fix for the issue. (CVE-2026-27587)

- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP
`host` request matcher is documented as case-insensitive, but when configured with a large host list (>100
entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based
routing and any access controls attached to that route by changing the casing of the `Host` header.
Version 2.11.1 contains a fix for the issue. (CVE-2026-27588)

Solution

Update the caddy library and its related packages to version 2.11.2-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-27585

https://security.alpinelinux.org/vuln/CVE-2026-27586

https://security.alpinelinux.org/vuln/CVE-2026-27587

https://security.alpinelinux.org/vuln/CVE-2026-27588

https://security.alpinelinux.org/vuln/CVE-2026-27589

https://security.alpinelinux.org/vuln/CVE-2026-27590

https://security.alpinelinux.org/vuln/CVE-2026-30851

https://security.alpinelinux.org/vuln/CVE-2026-30852

Plugin Details

Severity: Critical

ID: 439411

Version: Revision 1.13

Type: Local

Published: 3/28/2026

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.48

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-27590

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/24/2026

Reference Information

CVE: CVE-2026-27585, CVE-2026-27586, CVE-2026-27587, CVE-2026-27588, CVE-2026-27589, CVE-2026-27590, CVE-2026-30851, CVE-2026-30852