Caddy Web Server Improper Handling of Case Sensitivity Vulnerability - CVE-2026-27588

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1 Caddy39s HTTP host request matcher is documented as case-insensitive but when configured with a large host list (gt100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the Host header. Version 2.11.1 contains a fix for the issue.