CVE-2026-52844: Caddy: Windows `file_server` path authorization bypass via encoded backslash

June 16, 2026

On Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk.

An unauthenticated remote client can request /private%5csecret.txt and bypass Caddy path-scoped auth/deny routes protecting /private/*.

References

github.com/advisories/GHSA-qrp7-cvwr-j2c6
github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6
nvd.nist.gov/vuln/detail/CVE-2026-52844

Code Behaviors & Features

Detect and mitigate CVE-2026-52844 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →