ID

VAR-202606-5117


CVE

CVE-2026-52844


TITLE

Light Code Labs of Caddy Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-021539

DESCRIPTION

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4. Caddy is the default TLS This is a highly scalable server platform that uses version 2.11.4 Before Windows In the environment, Caddy The pass matcher is /private¥secret.txt of /private/* It is recognized as an external entity, file_server The same request path on disk private¥secret.txt It will be processed as follows: This will allow unauthenticated remote clients to /private/* Protect Caddy The path scope auth/deny It may be possible to bypass root access. This vulnerability is in version 2.11.4 has been fixed.- All information handled by the software may be leaked to external parties. - No rewriting will occur to the information handled by the software. - The software will not stop

Trust: 1.62

sources: NVD: CVE-2026-52844 // JVNDB: JVNDB-2026-021539

AFFECTED PRODUCTS

vendor:caddyservermodel:caddyscope:ltversion:2.11.4

Trust: 1.0

vendor:light codemodel:caddyscope:eqversion: -

Trust: 0.8

vendor:light codemodel:caddyscope: - version: -

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion:2.11.4

Trust: 0.8

sources: JVNDB: JVNDB-2026-021539 // NVD: CVE-2026-52844

CVSS

SEVERITY

CVSSV2

CVSSV3

security-advisories@github.com: CVE-2026-52844
value: HIGH

Trust: 1.0

OTHER: JVNDB-2026-021539
value: HIGH

Trust: 0.8

security-advisories@github.com: CVE-2026-52844
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

OTHER: JVNDB-2026-021539
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-021539 // NVD: CVE-2026-52844

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.0

problemtype:CWE-22

Trust: 1.0

problemtype:Path traversal (CWE-22) [ others ]

Trust: 0.8

problemtype: Inappropriate access control (CWE-284) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-021539 // NVD: CVE-2026-52844

PATCH

title:Windows `file_server` path authorization bypass via encoded backslash  Advisory  caddyserver/caddy  GitHuburl:https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6

Trust: 0.8

sources: JVNDB: JVNDB-2026-021539

EXTERNAL IDS

db:NVDid:CVE-2026-52844

Trust: 2.6

db:JVNDBid:JVNDB-2026-021539

Trust: 0.8

sources: JVNDB: JVNDB-2026-021539 // NVD: CVE-2026-52844

REFERENCES

url:https://github.com/caddyserver/caddy/security/advisories/ghsa-qrp7-cvwr-j2c6

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-52844

Trust: 0.8

sources: JVNDB: JVNDB-2026-021539 // NVD: CVE-2026-52844

SOURCES

db:JVNDBid:JVNDB-2026-021539
db:NVDid:CVE-2026-52844

LAST UPDATE DATE

2026-06-30T23:42:35.013000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-021539date:2026-06-30T02:19:00
db:NVDid:CVE-2026-52844date:2026-06-29T19:08:19.980

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-021539date:2026-06-30T00:00:00
db:NVDid:CVE-2026-52844date:2026-06-23T18:18:05.137