← Volver a CVEs
CVE-2026-27588
CRITICAL9.1
Descripcion
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Detalles CVE
Puntuacion CVSS v3.19.1
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado2/24/2026
Ultima modificacion2/25/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
caddyserver:caddy
Debilidades (CWE)
CWE-178
Referencias
https://github.com/caddyserver/caddy/releases/tag/v2.11.1(security-advisories@github.com)
https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.