PatchSiren cyber security CVE debrief
CVE-2026-52844 caddyserver CVE debrief
CVE-2026-52844 is a high-severity vulnerability in Caddy, a popular extensible server platform that uses TLS by default. The issue arises from how Caddy's path matchers handle requests on Windows. Specifically, prior to version 2.11.4, Caddy's path matchers treat /private/secret.txt as outside the /private/* scope, but the file_server later resolves the same request path as private/secret.txt on disk. This discrepancy allows an unauthenticated remote client to bypass Caddy's path-scoped authentication and denial routes protecting the /private/ directory. The vulnerability has been fixed in Caddy version 2.11.4. Organizations using Caddy should ensure they are running the latest version to mitigate this risk.
- Vendor
- caddyserver
- Product
- caddy
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
This vulnerability affects users of Caddy, particularly those hosting sensitive data or applications behind Caddy's authentication and authorization features. The ability to bypass path-scoped auth/deny routes could allow unauthorized access to sensitive information. Therefore, administrators of Caddy instances, especially those with /private/ or similarly protected directories, should prioritize patching to version 2.11.4 or later.
Technical summary
The vulnerability in Caddy arises from a discrepancy in how path matchers and the file_server handle request paths on Windows. Caddy, by default, uses TLS and provides a flexible way to configure path-based access controls. However, prior to version 2.11.4, there was a mismatch in how paths were interpreted by the path matchers and the file_server component. Specifically, the path matchers would consider /private/secret.txt as outside the /private/* scope, while the file_server would resolve it as accessing private/secret.txt on disk. This mismatch enables an unauthenticated attacker to bypass security routes protecting the /private/ directory. The issue is addressed in Caddy version 2.11.4.
Defensive priority
High. Immediate patching to version 2.11.4 or later is recommended for all Caddy users, especially those with sensitive data or applications protected by Caddy's path-scoped auth/deny routes.
Recommended defensive actions
- Patch Caddy to version 2.11.4 or later.
- Review Caddy configurations to ensure path-scoped auth/deny routes are correctly implemented.
- Monitor Caddy instances for unusual activity indicative of exploitation attempts.
- Consider additional compensating controls, such as IP restrictions or enhanced monitoring, until patching can be applied.
- Verify that file_server configurations are properly aligned with intended access controls.
Evidence notes
The CVE-2026-52844 vulnerability details were obtained from the NVD database and the Caddy security advisory. The vulnerability is confirmed to be fixed in Caddy version 2.11.4. The CVSS score of 7.5 indicates a high severity level, emphasizing the need for prompt action.
Official resources
-
CVE-2026-52844 CVE record
CVE.org
-
CVE-2026-52844 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.