Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI
path splitting logic computes the split index on a lowercased copy of the request path and then uses that
byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change
UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect
`SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to
execute a different on-disk file than intended (path confusion). In setups where an attacker can control
file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files
(potential RCE depending on deployment). Version 2.11.1 fixes the issue. (CVE-2026-27590)
- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path
sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related
security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1
fixes the issue. (CVE-2026-27585)
- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed
errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail
open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but
accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private
CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS
will silently degrade to accepting any system-trusted client certificate if the CA file becomes
unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes.
The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.
(CVE-2026-27586)
- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP
`path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-
escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker
can bypass path-based routing and any access controls attached to that route by changing the casing of the
request path. Version 2.11.1 contains a fix for the issue. (CVE-2026-27587)
- Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP
`host` request matcher is documented as case-insensitive, but when configured with a large host list (>100
entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based
routing and any access controls attached to that route by changing the casing of the `Host` header.
Version 2.11.1 contains a fix for the issue. (CVE-2026-27588)
Solution
Update the caddy library and its related packages to version 2.11.2-r0 or later.
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
Exploit Ease: Exploits are available
Vulnerability Publication Date: 2/24/2026