Backslash Blues: Bypassing Caddy's ACLs with a Single Character
Vulnerability ID: CVE-2026-27585
CVSS Score: 6.9
Published: 2026-02-24
A semantic gap between Caddy's HTTP request matching and the underlying Go filesystem globbing logic allows attackers to bypass path-based access controls. By injecting backslashes into the request URI, an attacker can evade security matchers while still successfully resolving the target file on disk.
TL;DR
Caddy < 2.11.1 failed to escape backslashes in its file matcher sanitization. Attackers can use paths like /admi\n to bypass explicit block rules for /admin, as the filesystem globber interprets the escaped character literally, serving the protected file.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-20 (Improper Input Validation)
- CVSS v4.0: 6.9 (Medium)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- Exploit Status: PoC Available
Affected Systems
- Caddy Server < 2.11.1
-
Caddy: < 2.11.1 (Fixed in:
2.11.1)
Code Analysis
Commit: 68d5002
fileserver: fix glob sanitization bypass
var globSafeRepl = strings.NewReplacer(
"*", "\\*",
"?", "\\?",
"[", "\\[",
+ "\\", "\\\\",
)
Exploit Details
- Internal Research: Path traversal/bypass via backslash injection in try_files
Mitigation Strategies
- Upgrade Caddy to version 2.11.1 or later immediately.
- Sanitize URL paths at the network edge (WAF/Load Balancer) to block
%5C(backslash). - Avoid relying solely on path-based exclusion lists (blocklists); prefer allowlists where possible.
Remediation Steps:
- Download the latest Caddy binary:
caddy upgradeor fetch from GitHub releases. - Restart the Caddy service:
systemctl restart caddy. - Verify the version:
caddy versionshould reportv2.11.1.
References
Read the full report for CVE-2026-27585 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)