CVE-2026-45692

Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization

Assigner: GitHub_M
Reserved: 13.05.2026 Published: 23.06.2026 Updated: 23.06.2026

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	caddyserver
Product	caddy
Versions	Version >= 2.4.0, < 2.11.3 is affected

Vendor

caddyserver

Product

caddy

Versions

Version >= 2.4.0, < 2.11.3 is affected

References

Problem Types

CWE-187: Partial String Comparison CWE
CWE-863: Incorrect Authorization CWE

CVE-2026-45692 PUBLISHED

Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization

Metrics

Product Status

References

Problem Types