CVE-2026-52844
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
Caddy before version 2.11.4 on Windows incorrectly handles path separators in path matchers, allowing bypass of access controls to protected directories. An unauthenticated remote attacker can access protected resources.
Risk Assessment
The risk involves bypassing authentication and denial mechanisms for protected paths, potentially leading to data leakage or unauthorized system access.
Recommendation
Immediately update Caddy to version 2.11.4 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.

