CVE-2026-27590

CVE-2026-27590 is a high-severity vulnerability in Caddy, an extensible server platform that enables TLS by default, affecting versions prior to 2.11.1. The issue resides in Caddy's FastCGI path splitting logic, which calculates the split index based on a lowercased copy of the request path and then applies that byte index to the original path. This approach is unsafe for Unicode characters because Go's strings.ToLower() function can alter the UTF-8 byte length of certain characters, resulting in incorrect SCRIPT_NAME, SCRIPT_FILENAME, and PATH_INFO values. Consequently, this path confusion can cause a request containing .php to target and execute a different on-disk file than intended.

The vulnerability can be exploited by any unauthenticated remote attacker with network access to a vulnerable Caddy instance configured for FastCGI, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An attacker crafts a request path with .php and Unicode characters that, when lowercased, shift the byte index, directing the FastCGI backend to process an unintended file. In deployments with attacker-controllable file contents, such as file upload features, this enables unintended PHP execution on non-.php files, potentially leading to remote code execution (RCE) depending on the setup and backend configuration.

Mitigation requires upgrading to Caddy version 2.11.1 or later, which addresses the path splitting issue. Official advisories from the Caddy project (GHSA-5r3v-vc8m-m96g) and related projects like FrankenPHP (GHSA-g966-83w7-6w38) detail the fix, available in the release notes at the v2.11.1 tag. The vulnerability is linked to CWE-20 (Improper Input Validation) and CWE-180 (Incorrect Behavior Order).