AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-x5w9-xh9r-mvfc: Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 19, 2026CVE-2026-45692

Summary

Caddy has an authorization bypass vulnerability in its `/config` API where the authorization layer and the traversal layer disagree on which object a path refers to. An admin client restricted to `/config/apps/http/servers/srv/routes/0` can access a different array element by requesting `/config/apps/http/servers/srv/routes/01` because the authorization layer uses string prefix matching while the traversal layer parses array indices numerically, causing the request to actually target `routes[1]` instead of `routes[0]`.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 19, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/caddyserver/caddy/v2@>= 2.4.0, < 2.11.3 (fixed: 2.11.3)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-x5w9-xh9r-mvfc

First tracked: May 19, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%