Vulnerability in Caddyserver Caddy

CVE-2026-27586

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate f…

EPSS: 0.001 (31.6th percentile) — read the EPSS interpretation.

Affected products

Caddyserver Caddy — versions < 2.11.1

Weakness classification (CWE)

CWE-755 — Improper Handling of Exceptional Conditions

References

https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7 (x_refsource_CONFIRM)
https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48 (x_refsource_MISC)
https://github.com/caddyserver/caddy/releases/tag/v2.11.1 (x_refsource_MISC)