CVE-2026-27586

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27586
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48 Exploit
https://github.com/caddyserver/caddy/releases/tag/v2.11.1 Release Notes
https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
History

25 Feb 2026, 17:14

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
CPE cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
First Time Caddyserver
Caddyserver caddy
References () https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48 - () https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48 - Exploit
References () https://github.com/caddyserver/caddy/releases/tag/v2.11.1 - () https://github.com/caddyserver/caddy/releases/tag/v2.11.1 - Release Notes
References () https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7 - () https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7 - Exploit, Vendor Advisory

24 Feb 2026, 17:29

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-24 17:29

Updated : 2026-02-25 17:14

NVD link : CVE-2026-27586

Mitre link : CVE-2026-27586

CVE.ORG link : CVE-2026-27586

JSON object : View

Products Affected

caddyserver

  • caddy
CWE
CWE-755

Improper Handling of Exceptional Conditions