{"id":"UBUNTU-CVE-2026-52844","details":"Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\\secret.txt as outside /private/*, but file_server later resolves the same request path as private\\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.","modified":"2026-06-25T19:16:39.740906086Z","published":"2026-06-23T18:18:00Z","upstream":["CVE-2026-52844"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-52844"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-52844"}],"affected":[{"package":{"name":"caddy","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/caddy?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.6.2-6","2.6.2-6ubuntu0.24.04.1","2.6.2-6ubuntu0.24.04.2","2.6.2-6ubuntu0.24.04.2+esm1","2.6.2-6ubuntu0.24.04.3","2.6.2-6ubuntu0.24.04.3+esm1","2.6.2-6ubuntu0.24.04.3+esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"caddy","binary_version":"2.6.2-6ubuntu0.24.04.3+esm2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-52844.json"}},{"package":{"name":"caddy","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/caddy?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.6.2-9","2.6.2-11","2.6.2-12"],"ecosystem_specific":{"binaries":[{"binary_name":"caddy","binary_version":"2.6.2-12"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-52844.json"}},{"package":{"name":"caddy","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/caddy?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.6.2-12","2.6.2-14"],"ecosystem_specific":{"binaries":[{"binary_name":"caddy","binary_version":"2.6.2-14"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-52844.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}