CVE-2026-45692 in caddy
Summary
by MITRE • 06/23/2026
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
The vulnerability in Caddy server platform represents a critical authorization bypass issue that emerged between versions 2.4.0 and 2.11.3, fundamentally undermining the security model of the application's configuration management system. This flaw stems from a fundamental disagreement between two distinct layers of the software architecture: the authorization layer and the /config traversal layer. The authorization layer employs string prefix matching to determine access permissions, while the traversal layer processes array indices through numeric parsing using strconv.Atoi() function. This architectural inconsistency creates a scenario where a path that appears authorized for one configuration object is actually accepted by the authorization system but subsequently resolved to an entirely different configuration object during the traversal process. The mismatch occurs because the string-based prefix matching does not account for the numeric array indexing that the traversal layer expects, leading to unauthorized access to configuration resources that should remain protected.
The technical exploitation of this vulnerability leverages the difference in how paths are interpreted across these two layers, creating a path traversal scenario where attackers can bypass intended access controls. When a user requests a specific configuration path, the authorization layer validates the request based on string prefix comparisons and grants access if the path matches authorized patterns. However, during the actual traversal phase, the system processes array indices numerically, causing the same path to resolve to a different configuration object than originally permitted. This creates an arbitrary file read or write scenario where unauthorized users can potentially access or modify sensitive configuration data that should be restricted to privileged administrators. The vulnerability is classified as a path traversal issue with authorization bypass characteristics and aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal) categories within the Common Weakness Enumeration framework.
The operational impact of this vulnerability extends beyond simple unauthorized access, potentially enabling attackers to escalate privileges and gain control over critical server configuration parameters. An attacker could exploit this weakness to modify core server settings, inject malicious configurations, or access sensitive information stored in the configuration system. The vulnerability affects the fundamental security model of Caddy's application platform, where default TLS usage and extended functionality depend on proper access controls to maintain security boundaries. Given that Caddy is designed as an extensible server platform with TLS enabled by default, this flaw could compromise not only individual configuration objects but potentially entire server configurations if attackers can chain this vulnerability with other exploits. The issue demonstrates how seemingly minor architectural inconsistencies between different layers of software can create significant security implications.
Mitigation strategies for this vulnerability require immediate deployment of Caddy version 2.11.3 or later, where the inconsistency between authorization and traversal layers has been resolved through proper synchronization of path resolution logic. Organizations should implement comprehensive monitoring of configuration access patterns to detect potential exploitation attempts and establish robust access control policies that limit exposure to this type of vulnerability. The fix addresses the root cause by ensuring that both the authorization layer and traversal layer interpret paths consistently, eliminating the numerical vs. string parsing discrepancy that enabled the bypass. Security teams should conduct thorough audits of their Caddy deployments to identify systems running vulnerable versions and ensure proper patch management protocols are in place to prevent similar architectural inconsistencies from emerging in other components of their infrastructure. This vulnerability serves as a reminder of the critical importance of maintaining consistency across security layers and the potential for architectural mismatches to create exploitable conditions in complex software systems.