CVE-2026-27586
📋 TL;DR
CVE-2026-27586 is a critical authentication bypass vulnerability in Caddy server where mTLS client certificate authentication silently fails open when CA certificate files are missing or unreadable. This allows any client certificate signed by system-trusted CAs to be accepted, completely bypassing the intended private CA trust boundary. All deployments using trusted_ca_cert_file or trusted_ca_certs_pem_files for mTLS are affected.
💻 Affected Systems
- Caddy
📦 What is this software?
Caddy by Caddyserver
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to protected services, potentially exposing sensitive data or enabling lateral movement within networks.
Likely Case
Accidental misconfiguration leads to degraded security where unauthorized clients can access protected resources without proper authentication.
If Mitigated
With proper monitoring and file integrity checks, the issue would be detected quickly before exploitation.
🎯 Exploit Status
Exploitation requires presenting any client certificate signed by system-trusted CAs when the server's CA file is unavailable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.1
Vendor Advisory: https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7
Restart Required: Yes
Instructions:
1. Backup current Caddy configuration. 2. Upgrade to Caddy version 2.11.1 or later. 3. Restart Caddy service. 4. Verify mTLS functionality.
🔧 Temporary Workarounds
Monitor CA file integrity
linuxImplement file integrity monitoring on CA certificate files to detect when they become unavailable.
# Example using inotifywait on Linux
inotifywait -m -e delete,move,attrib /path/to/ca/certificates
Regular configuration validation
allImplement automated checks to verify mTLS configuration is functioning correctly.
# Test mTLS connection with expected client cert
openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile ca.crt
🧯 If You Can't Patch
- Implement strict file permissions and monitoring on CA certificate files to prevent them from becoming unavailable.
- Use external authentication proxies or API gateways that properly validate mTLS certificates before forwarding to Caddy.
🔍 How to Verify
Check if Vulnerable:
Check if running Caddy version < 2.11.1 with mTLS configured using trusted_ca_cert_file or trusted_ca_certs_pem_files.Check Version:
caddy versionVerify Fix Applied:
Verify Caddy version is 2.11.1 or later and test mTLS connections with invalid client certificates (should be rejected).📡 Detection & Monitoring
Log Indicators:
- No specific log indicators - this is a silent failure. Look for absence of expected mTLS authentication logs.
Network Indicators:
- Successful connections from clients presenting certificates not signed by the configured private CA.
SIEM Query:
Look for successful authentication events where client certificate issuer does not match configured private CA.