AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-4xrr-hq4w-6vf4: Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections

mediumvulnerability

security

Source: GitHub Advisory DatabaseFebruary 24, 2026CVE-2026-27585

Summary

Caddy's file matcher doesn't properly escape backslashes when sanitizing glob patterns (special characters used for file matching), which allows attackers to bypass security protections. For example, a reverse proxy blocking `/documents/*` can be bypassed by requesting `/do%5ccuments/` (where `%5c` is a backslash) because the backslash in the glob pattern is treated as an escape character and ignored before non-special characters.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationModerate

Affected Packages

github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver@< 2.11.0 (fixed: 2.11.1)

Original source: https://github.com/advisories/GHSA-4xrr-hq4w-6vf4

First tracked: February 24, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 95%