GO-2026-4541 Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2

Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2...

Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Summary Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the...