EXECUTIVE SUMMARY:
CVE-2026-45135 with a CVSS score of 8.1 is a high-severity vulnerability in the Caddy web server, affecting versions 2.7.0 through 2.10.2 of the `go/github.com/caddyserver/caddy/v2` package. The vulnerability is caused by an unsafe handling of Unicode characters in the FastCGI transport's `splitPos()` function, which misuses the `golang.org/x/text/search` package with `search.IgnoreCase` when the request path contains a non-ASCII byte. This can be exploited by an attacker who can place content into a file served via FastCGI, allowing them to mislead Caddy's FastCGI splitting into treating a non-.php (or other configured `split_path` extension) file as a script, potentially leading to remote code execution. An attacker requires access to the system where Caddy is deployed and can place content into a file served via FastCGI, such as through an upload or file storage mechanism. If exploited, this vulnerability can have significant business consequences, including unauthorized access to sensitive data, disruption of services, and potential financial loss. The exploitation requires a flawed FastCGI transport configuration with `split_path` set to handle non-ASCII extensions, allowing an attacker to craft a URL whose path triggers either of the two distinct flaws in the `splitPos()` function.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45135 with a CVSS score of 8.1 is a high-severity vulnerability in the Caddy web server, affecting versions 2.7.0 through 2.10.2 of the `go/github.com/caddyserver/caddy/v2` package. The vulnerability is caused by an unsafe handling of Unicode characters in the FastCGI transport's `splitPos()` function, which misuses the `golang.org/x/text/search` package with `search.IgnoreCase` when the request path contains a non-ASCII byte. This can be exploited by an attacker who can place content into a file served via FastCGI, allowing them to mislead Caddy's FastCGI splitting into treating a non-.php (or other configured `split_path` extension) file as a script, potentially leading to remote code execution. An attacker requires access to the system where Caddy is deployed and can place content into a file served via FastCGI, such as through an upload or file storage mechanism. If exploited, this vulnerability can have significant business consequences, including unauthorized access to sensitive data, disruption of services, and potential financial loss. The exploitation requires a flawed FastCGI transport configuration with `split_path` set to handle non-ASCII extensions, allowing an attacker to craft a URL whose path triggers either of the two distinct flaws in the `splitPos()` function.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-m675-2p33-xv9g