CVE-2026-52844
🟡 Monitoruj
Obejście autoryzacji w Caddy pozwala na dostęp do plików w katalogu /private/*.
CVSS
7.5
EPSS
0.4%
Exploit
poc
Vendor
caddyserver
Opis źródłowy (NVD)
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This vulnerability is fixed in 2.11.4.
exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.5 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.4% |
| Opublikowano (NVD) | 2026-06-23 18:18:05 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-29 19:08:19 UTC |
Referencje
- https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6 (security-advisories@github.com) [Third Party Advisory, Exploit]