Loading market data...
← Back to CVE feed

CVE-2026-52844

HIGH CVSS 7.5 View on NVD ↗

Description

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: Jun 23, 2026 18:18 UTC Modified: Jun 23, 2026 21:17 UTC