CVE-2026-52844
Summary
by MITRE • 06/23/2026
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
This vulnerability exists within Caddy server platform's handling of file paths on Windows operating systems, specifically affecting versions prior to 2.11.4. The issue stems from a path normalization inconsistency between how Caddy's path matchers evaluate URLs and how the file_server component resolves actual file paths on disk. When processing requests for paths like /private\secret.txt, the path matcher logic incorrectly determines this path as being outside the protected /private/* scope, while the file_server component resolves the same path to private\secret.txt on the filesystem, creating a discrepancy that allows unauthorized access.
The technical flaw manifests from the difference in path interpretation between Caddy's routing logic and its file system operations. During path matching, Caddy's route evaluation treats forward slashes and backslashes differently when determining whether a request falls within a protected scope, particularly in Windows environments where both slash types are valid directory separators. This inconsistency creates a bypass condition where an attacker can craft requests that appear to be outside protected directories from the matcher perspective but are actually resolved to files within those directories during file system operations.
The operational impact of this vulnerability is significant as it allows unauthenticated remote attackers to access files that should be protected by path-scoped authentication or authorization rules. An attacker could potentially bypass access controls designed to protect sensitive files located under /private/* paths, gaining unauthorized access to confidential data, configuration files, or other restricted resources. This represents a critical privilege escalation vulnerability in web server configurations where access control is enforced through path-based restrictions.
This vulnerability aligns with CWE-22 Path Traversal and CWE-352 Cross-Site Request Forgery patterns, specifically demonstrating how inconsistent path handling can create security boundaries that are easily circumvented. The issue also maps to ATT&CK technique T1078 Valid Accounts, as it allows attackers to access restricted resources without proper authentication by exploiting implementation flaws in the path resolution logic. Additionally, it relates to T1566 Phishing with Social Engineering, since attackers could craft malicious URLs that appear legitimate but exploit these path traversal inconsistencies.
Mitigation strategies should include upgrading to Caddy version 2.11.4 or later where this path normalization inconsistency has been resolved. Organizations should also implement additional security controls such as validating all file paths through multiple verification layers, implementing strict path canonicalization before any file system operations, and ensuring that all access control decisions are made using consistent path representations. Network segmentation and additional monitoring of unusual file access patterns can provide additional defense-in-depth measures while the primary fix is implemented.