CVE Catalog

CVE-2026-45692

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

A vulnerability in Caddy server versions 2.4.0 through 2.11.3 arises from a mismatch between the authorization layer and the /config path traversal layer. The authorization layer uses string prefix matching, while the traversal layer parses array indices numerically using strconv.Atoi(), leading to incorrect resolution of configuration objects. The issue is fixed in version 2.11.3.

Risk Assessment

An attacker may gain access to unauthorized configuration objects, potentially leading to server setting modification, privilege escalation, or system integrity compromise.

Recommendation

Immediately upgrade Caddy server to version 2.11.3 or later, which includes the fix for this vulnerability.

Original NVD description (English source)

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS