Login Sign Up

CVE-2026-27590

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

CVE-2026-27590 is a path confusion vulnerability in Caddy server's FastCGI handling that occurs when processing Unicode characters in request paths. Attackers can manipulate file execution to run non-PHP files as PHP code, potentially leading to remote code execution. This affects Caddy servers using FastCGI with PHP before version 2.11.1.

💻 Affected Systems

Products:
  • Caddy
Versions: All versions before 2.11.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only affects configurations using FastCGI with PHP processing. Standard Caddy installations without FastCGI are not vulnerable.

📦 What is this software?

Caddy by Caddyserver

View all CVEs affecting Caddy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if attackers can upload files and execute them as PHP.

🟠

Likely Case

Unauthorized file execution allowing attackers to read sensitive files or execute arbitrary code in PHP contexts.

🟢

If Mitigated

Limited impact with proper file upload restrictions and execution controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of Unicode character manipulation and FastCGI path handling. Attackers need ability to upload files or control file contents in some deployments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.1

Vendor Advisory: https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g

Restart Required: Yes

Instructions:

1. Stop Caddy service. 2. Update to version 2.11.1 or later using your package manager or download from GitHub releases. 3. Restart Caddy service.

🔧 Temporary Workarounds

Disable FastCGI PHP processing

all

Remove or disable FastCGI configuration for PHP if not required

Edit Caddyfile to remove or comment out php_fastcgi directives

Restrict file uploads

all

Implement strict controls on file upload functionality

🧯 If You Can't Patch

  • Implement WAF rules to block requests containing Unicode characters in paths targeting PHP files
  • Restrict file permissions and implement strict file upload validation with whitelisted extensions only

🔍 How to Verify

Check if Vulnerable:

Check Caddy version and FastCGI configuration. If using FastCGI with PHP and version < 2.11.1, system is vulnerable.

Check Version:

caddy version

Verify Fix Applied:

Verify Caddy version is 2.11.1 or later and test FastCGI path handling with Unicode characters.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Unicode characters in request paths to PHP files
  • Multiple failed attempts to access files with special characters

Network Indicators:

  • HTTP requests with Unicode characters in paths targeting .php endpoints
  • Unusual file execution patterns via FastCGI

SIEM Query:

source="caddy" AND (path:*%* OR path:*\u* OR path:*\x*) AND (path:*.php* OR file:*.php*)

📊 Metadata

CVE ID: CVE-2026-27590
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: February 24, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27590, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)