Sign-up

ID

VAR-202602-2836


CVE

CVE-2026-27586


TITLE

Light Code Labs of Caddy Vulnerability in handling exceptional conditions in

Trust: 0.8

sources: JVNDB: JVNDB-2026-005160

DESCRIPTION

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability. All information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-27586 // JVNDB: JVNDB-2026-005160

AFFECTED PRODUCTS

vendor:caddyservermodel:caddyscope:ltversion:2.11.1

Trust: 1.0

vendor:light codemodel:caddyscope:eqversion:2.11.1

Trust: 0.8

vendor:light codemodel:caddyscope: - version: -

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2026-005160 // NVD: CVE-2026-27586

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2026-27586
value: CRITICAL

Trust: 1.0

security-advisories@github.com: CVE-2026-27586
value: HIGH

Trust: 1.0

NVD: CVE-2026-27586
value: CRITICAL

Trust: 0.8

nvd@nist.gov: CVE-2026-27586
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2026-27586
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-005160 // NVD: CVE-2026-27586 // NVD: CVE-2026-27586

PROBLEMTYPE DATA

problemtype:CWE-755

Trust: 1.0

problemtype:Improper handling in exceptional conditions (CWE-755) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-005160 // NVD: CVE-2026-27586

PATCH

title:mTLS client authentication silently fails open when CA certificate file is missing or malformed  Advisory  caddyserver/caddy  GitHuburl:https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7

Trust: 0.8

sources: JVNDB: JVNDB-2026-005160

EXTERNAL IDS

db:NVDid:CVE-2026-27586

Trust: 2.6

db:JVNDBid:JVNDB-2026-005160

Trust: 0.8

sources: JVNDB: JVNDB-2026-005160 // NVD: CVE-2026-27586

REFERENCES

url:https://github.com/caddyserver/caddy/releases/tag/v2.11.1

Trust: 1.8

url:https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48

Trust: 1.8

url:https://github.com/caddyserver/caddy/security/advisories/ghsa-hffm-g8v7-wrv7

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-27586

Trust: 0.8

sources: JVNDB: JVNDB-2026-005160 // NVD: CVE-2026-27586

SOURCES

db:JVNDBid:JVNDB-2026-005160
db:NVDid:CVE-2026-27586

LAST UPDATE DATE

2026-03-01T00:02:48.780000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-005160date:2026-02-27T03:42:00
db:NVDid:CVE-2026-27586date:2026-02-25T17:14:19.867

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-005160date:2026-02-27T00:00:00
db:NVDid:CVE-2026-27586date:2026-02-24T17:29:03.793