AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-x76f-jf84-rqj8: Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 24, 2026CVE-2026-27588

Summary

Caddy's MatchHost matcher is documented as case-insensitive, but when configured with more than 100 host entries, it uses an optimized binary search that performs case-sensitive comparison, allowing attackers to bypass host-based routing and access controls by changing the casing of the Host header (for example, sending 'H001.TEST' instead of 'h001.test').

Solution / Mitigation

The source suggests two fixes: (1) normalize exact hostnames to lower-case during MatchHost.Provision (at least for non-fuzzy entries), or (2) normalize the incoming request host to lower-case before the large-list binary search and equality check so the optimized path stays case-insensitive.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationTrivial

Affected Packages

github.com/caddyserver/caddy/v2/modules/caddyhttp@< 2.11.1 (fixed: 2.11.1)

Original source: https://github.com/advisories/GHSA-x76f-jf84-rqj8

First tracked: February 24, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 95%