GHSA-qrp7-cvwr-j2c6: Caddy: Windows `file_server` path authorization bypass via encoded backslash
Summary
On Windows, Caddy has a security vulnerability where attackers can bypass path-based authorization rules by using encoded backslashes (URL-encoded as %5c) in requests. The issue occurs because Caddy's path matcher doesn't treat backslashes as path separators when checking authorization rules, but the file server does when accessing files on disk, allowing an attacker to request `/private%5csecret.txt` and bypass protections meant to block `/private/*` access.
Solution / Mitigation
The source suggests two potential fixes: "Normalize Windows path separators consistently before `MatchPath` evaluates request paths, or reject request paths containing `\` before `file_server` resolves."
Vulnerability Details
EPSS: 0.0%
Yes
June 16, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-qrp7-cvwr-j2c6
First tracked: June 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%