CVE-2026-45692
CVE-2026-45692 is a medium-severity vulnerability in Caddyserver Caddy with a CVSS 3.x base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-187.
Key facts
- Severity: Medium (CVSS 3.x base score 5.4)
- EPSS exploit prediction: 0% (4th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38559
- Weakness: CWE-187
- Affected product: Caddyserver Caddy
- Published:
- Last modified:
Description
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
Frequently asked questions
- What is CVE-2026-45692?
- Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
- How severe is CVE-2026-45692?
- CVE-2026-45692 has a CVSS 3.x base score of 5.4, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2026-45692 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (4th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-45692?
- CVE-2026-45692 affects Caddyserver Caddy. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-45692?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-45692 have an EU (EUVD) identifier?
- Yes. CVE-2026-45692 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38559.
- When was CVE-2026-45692 published?
- CVE-2026-45692 was published on 2026-06-23 and last updated on 2026-06-26.
References
Affected products (1)
- cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
More vulnerabilities in Caddyserver Caddy
- CVE-2026-27590 — Critical (CVSS 9.8): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path…
- CVE-2018-21246 — Critical (CVSS 9.8): Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the…
- CVE-2026-27588 — Critical (CVSS 9.1): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request…
- CVE-2026-27587 — Critical (CVSS 9.1): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request…
- CVE-2026-27586 — Critical (CVSS 9.1): Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in…
- CVE-2026-52845 — High (CVSS 8.1): Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the…
All CVEs affecting Caddyserver Caddy →
Other CWE-187 vulnerabilities
- CVE-2024-41110 — Critical (CVSS 9.9): Moby is an open-source project created by Docker for software containerization. A security vulnerability has been…
- CVE-2022-31802 — Critical (CVSS 9.8): In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only a part of the the specified password is been compared…
- CVE-2026-34785 — High (CVSS 7.5): Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines…
- CVE-2026-44837 — Medium (CVSS 5.9): view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From…
- CVE-2026-14687 — Medium (CVSS 5.3): A vulnerability was determined in 666ghj BettaFish up to 1.2.1. Impacted is the function _deduplicate_results of the…
- CVE-2025-23384 — Low (CVSS 3.7): A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2.1),…