CVE-2026-27588 – Caddy servers with host lists exceeding 100 ent... (How to Fix)

Q: What is the severity of CVE-2026-27588?

CVE-2026-27588 has a CVSS score of 9.1 (CRITICAL). Caddy servers with host lists exceeding 100 entries have a case-sensitivity vulnerability in the HTTP host matcher. Attackers can bypass host-based routing and access controls by manipulating the Host header casing. This affects Caddy servers using host-based routing with large host configurations.

📋 TL;DR

Caddy servers with host lists exceeding 100 entries have a case-sensitivity vulnerability in the HTTP host matcher. Attackers can bypass host-based routing and access controls by manipulating the Host header casing. This affects Caddy servers using host-based routing with large host configurations.

💻 Affected Systems

Products:

Caddy

Versions: All versions prior to 2.11.1

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when configured with host-based routing using more than 100 host entries.

📦 What is this software?

Caddy by Caddyserver

View all CVEs affecting Caddy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of host-based access controls, allowing unauthorized access to restricted routes, potential data exposure, or privilege escalation.

🟠

Likely Case

Bypass of specific host-based routing rules, potentially accessing unintended backend services or bypassing security filters.

🟢

If Mitigated

Limited impact if additional authentication layers exist beyond host-based routing, or if host lists are small.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP header manipulation with no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.1

Vendor Advisory: https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8

Restart Required: Yes

Instructions:

1. Backup current Caddy configuration. 2. Update Caddy to version 2.11.1 or later using your package manager or download from GitHub releases. 3. Restart Caddy service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Reduce host list size

all

Reduce the number of host entries in your Caddy configuration to 100 or fewer to avoid the vulnerable code path.

Edit Caddyfile to consolidate or remove host entries

WAF/Proxy normalization

all

Deploy a WAF or reverse proxy that normalizes Host headers to lowercase before they reach Caddy.

🧯 If You Can't Patch

Implement additional authentication layers beyond host-based routing
Deploy network-level controls to restrict access to vulnerable routes

🔍 How to Verify

Check if Vulnerable:

Check if Caddy version is below 2.11.1 AND configuration contains host-based routing with >100 entries.

Check Version:

caddy version

Verify Fix Applied:

After updating to 2.11.1+, test with various Host header casings to ensure consistent routing behavior.

📡 Detection & Monitoring

Log Indicators:

Multiple access attempts with varying Host header casing
Access to routes from unexpected hostnames

Network Indicators:

HTTP requests with non-standard Host header casing
Traffic to routes that should be blocked by host rules

SIEM Query:

source="caddy" AND (Host:*[A-Z]* OR http.host:*[A-Z]*)

📊 Metadata

CVE ID: CVE-2026-27588

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-178

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/caddyserver/caddy/releases/tag/v2.11.1 Release Notes
https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27588, you might also want to check these: