GHSA-X76F-JF84-RQJ8 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Summary Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the...

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the host request matcher when the host list contains more than 100 entries. An attacker can gain unauthorized access to protected routes and sensitive endpoints by altering the case of the Host...

UBUNTU-CVE-2026-27588

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass...

CVE-2026-27588 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass...

CVE-2026-27588

Summary (CVE-2026-27588) Caddy (v2.x) vulnerability in the host matcher: when a large allowlist (>100 hosts) is configured, the MatchHost algorithm uses a fast path that enforces a case-sensitive comparison, which makes the host matching effectively case-sensitive and can bypass host-based rou...

CVE-2026-27588 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list 100 entries it becomes case-sensitive due to an optimized matching path. An attacker can bypass...

PT-2026-21773

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1 Description Caddy’s HTTP host request matcher is documented as case-insensitive, but becomes case-sensitive when configured with a large host list more than 100 entries due to an optimized matching path. An...