CVE-2026-45692
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
A vulnerability in Caddy server versions 2.4.0 through 2.11.3 arises from a mismatch between the authorization layer and the /config path traversal layer. The authorization layer uses string prefix matching, while the traversal layer parses array indices numerically using strconv.Atoi(), leading to incorrect resolution of configuration objects. The issue is fixed in version 2.11.3.
Risk Assessment
An attacker may gain access to unauthorized configuration objects, potentially leading to server setting modification, privilege escalation, or system integrity compromise.
Recommendation
Immediately upgrade Caddy server to version 2.11.3 or later, which includes the fix for this vulnerability.
Original NVD description (English source)
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.

