AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-g7pc-pc7g-h8jh: Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 24, 2026CVE-2026-27587

Summary

Caddy's path matcher is supposed to be case-insensitive, but when a match pattern contains percent-escape sequences (encoded characters like %2F for a slash), it compares the request path without lowercasing it, allowing attackers to bypass access controls by changing letter casing (for example, requesting /ADMIN%2Fpanel instead of /admin%2Fpanel).

Solution / Mitigation

In the percent-pattern matching path, lowercase the constructed string in matchPatternWithEscapeSequence right before path.Match, matching the behavior of the normal matching branch.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationTrivial

Affected Packages

github.com/caddyserver/caddy/v2/modules/caddyhttp@< 2.11.0 (fixed: 2.11.1)

Original source: https://github.com/advisories/GHSA-g7pc-pc7g-h8jh

First tracked: February 24, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 95%