CVE Catalog

CVE-2026-52844

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

31th percentile — higher than 31% of all known CVEs

Summary

Caddy before version 2.11.4 on Windows incorrectly handles path separators in path matchers, allowing bypass of access controls to protected directories. An unauthenticated remote attacker can access protected resources.

Risk Assessment

The risk involves bypassing authentication and denial mechanisms for protected paths, potentially leading to data leakage or unauthorized system access.

Recommendation

Immediately update Caddy to version 2.11.4 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS