HomeCVE Intelligence › CVE-2026-52844
CVSS 7.5 HIGH Vulnerability

CVE-2026-52844: Caddy: Windows `file_server` path authorization bypass via encoded backslash

Summary On Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can request /…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-52844
Vendorgo
Affected Productgithub.com/caddyserver/caddy/v2
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary On Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can request /private%5csecret.txt and bypass Caddy path-scoped auth/deny routes protecting /private/*.

Details The mismatch is between two Caddy code paths: - MatchPath.MatchWithError() compares r.URL.Path using URL path semantics and does not normalize \ to /: modules/caddyhttp/matchers.go:429, :436, :490, :532.

• If the route matcher misses, Caddy skips that route: modules/caddyhttp/routes.go:271.
file_server then maps the same request path to a filesystem path with SanitizedPathJoin(root, r.URL.Path): `modules/caddyhttp/fileserver/staticfi

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-52844 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence