GHSA-gx7w-56w6-g48x: Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching

Caddy's remote admin access control has a bug in how it checks if a client certificate is allowed to access certain paths. It uses prefix matching (checking if a path starts with an allowed path) without verifying that the allowed path ends at a proper boundary, so a certificate authorized only for `/pki/ca/prod` can also access `/pki/ca/prod-backup` or `/pki/ca/prod1`. This breaks the principle of least privilege (giving users only the minimum access they need) and allows authenticated users to bypass authorization restrictions on PKI (public key infrastructure, used for managing certificates) endpoints.