VAR-202602-3216
Vulnerability from variot - Updated: 2026-03-03 23:25Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the Host header. Version 2.11.1 contains a fix for the issue. This issue is fixed in version 2.11.1 has been fixed.All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks that exploit this vulnerability will not affect other software
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202602-3216",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "caddy",
"scope": "lt",
"trust": 1.0,
"vendor": "caddyserver",
"version": "2.11.1"
},
{
"model": "caddy",
"scope": "gte",
"trust": 1.0,
"vendor": "caddyserver",
"version": "2.10.2"
},
{
"model": "caddy",
"scope": "eq",
"trust": 0.8,
"vendor": "light code",
"version": "2.10.2 that\u0027s all 2.11.1"
},
{
"model": "caddy",
"scope": null,
"trust": 0.8,
"vendor": "light code",
"version": null
},
{
"model": "caddy",
"scope": "eq",
"trust": 0.8,
"vendor": "light code",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"cve": "CVE-2026-27588",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2026-27588",
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2026-27588",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2026-27588",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2026-27588",
"trust": 1.0,
"value": "High"
},
{
"author": "NVD",
"id": "CVE-2026-27588",
"trust": 0.8,
"value": "Critical"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"db": "NVD",
"id": "CVE-2026-27588"
},
{
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy\u0027s HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (\u003e100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue. This issue is fixed in version 2.11.1 has been fixed.All information handled by the software may be leaked to the outside. All information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks that exploit this vulnerability will not affect other software",
"sources": [
{
"db": "NVD",
"id": "CVE-2026-27588"
},
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
}
],
"trust": 1.62
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2026-27588",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2026-005158",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"id": "VAR-202602-3216",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.13392857
},
"last_update_date": "2026-03-03T23:25:23.865000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Caddy",
"trust": 0.8,
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-178",
"trust": 1.0
},
{
"problemtype": "Improper case sensitivity (CWE-178) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
},
{
"trust": 1.0,
"url": "https://github.com/caddyserver/caddy/security/advisories/ghsa-x76f-jf84-rqj8"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2026-27588"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2026-02-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"date": "2026-02-24T17:29:04.163000",
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2026-02-27T03:42:00",
"db": "JVNDB",
"id": "JVNDB-2026-005158"
},
{
"date": "2026-02-25T17:10:48.980000",
"db": "NVD",
"id": "CVE-2026-27588"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Light\u00a0Code\u00a0Labs of Caddy Vulnerability in improper handling of uppercase and lowercase letters in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2026-005158"
}
],
"trust": 0.8
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…