{"id":"GO-2026-4541","summary":"Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2","details":"Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2","aliases":["CVE-2026-27588","GHSA-x76f-jf84-rqj8"],"modified":"2026-03-17T05:08:39.284709Z","published":"2026-02-26T16:27:51Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4541","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8"},{"type":"FIX","url":"https://github.com/caddyserver/caddy/commit/eec32a0bb5a11651c6a7b04ce82dc50610f2b27e"},{"type":"WEB","url":"https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}],"affected":[{"package":{"name":"github.com/caddyserver/caddy/v2","ecosystem":"Go","purl":"pkg:golang/github.com/caddyserver/caddy/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.11.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["App.Cleanup","App.Provision","App.Start","App.Stop","App.Validate","CELMatcherImpl","CELValueToMapStrList","CIDRExpressionToPrefix","Error","HandlerError.Error","HandlerFunc.ServeHTTP","Invoke.ServeHTTP","LoggableHTTPHeader.MarshalLogObject","LoggableHTTPRequest.MarshalLogObject","LoggableTLSConnState.MarshalLogObject","MatchClientIP.CELLibrary","MatchClientIP.Match","MatchClientIP.MatchWithError","MatchClientIP.Provision","MatchClientIP.UnmarshalCaddyfile","MatchExpression.MarshalJSON","MatchExpression.Match","MatchExpression.MatchWithError","MatchExpression.Provision","MatchExpression.UnmarshalCaddyfile","MatchExpression.UnmarshalJSON","MatchHeader.CELLibrary","MatchHeader.Match","MatchHeader.MatchWithError","MatchHeader.UnmarshalCaddyfile","MatchHeaderRE.CELLibrary","MatchHeaderRE.Match","MatchHeaderRE.MatchWithError","MatchHeaderRE.Provision","MatchHeaderRE.UnmarshalCaddyfile","MatchHeaderRE.Validate","MatchHost.CELLibrary","MatchHost.Match","MatchHost.MatchWithError","MatchHost.Provision","MatchHost.UnmarshalCaddyfile","MatchMethod.CELLibrary","MatchMethod.UnmarshalCaddyfile","MatchNot.MarshalJSON","MatchNot.Match","MatchNot.MatchWithError","MatchNot.Provision","MatchNot.UnmarshalCaddyfile","MatchNot.UnmarshalJSON","MatchPath.CELLibrary","MatchPath.Match","MatchPath.MatchWithError","MatchPath.UnmarshalCaddyfile","MatchPathRE.CELLibrary","MatchPathRE.Match","MatchPathRE.MatchWithError","MatchProtocol.CELLibrary","MatchProtocol.Match","MatchProtocol.MatchWithError","MatchProtocol.UnmarshalCaddyfile","MatchQuery.CELLibrary","MatchQuery.Match","MatchQuery.MatchWithError","MatchQuery.UnmarshalCaddyfile","MatchRegexp.Match","MatchRegexp.Provision","MatchRegexp.UnmarshalCaddyfile","MatchRegexp.Validate","MatchRemoteIP.CELLibrary","MatchRemoteIP.Match","MatchRemoteIP.MatchWithError","MatchRemoteIP.Provision","MatchRemoteIP.UnmarshalCaddyfile","MatchTLS.UnmarshalCaddyfile","MatchVarsRE.CELLibrary","MatchVarsRE.Match","MatchVarsRE.MatchWithError","MatchVarsRE.Provision","MatchVarsRE.UnmarshalCaddyfile","MatchVarsRE.Validate","MatcherSet.Match","MatcherSet.MatchWithError","MatcherSets.AnyMatch","MatcherSets.AnyMatchWithError","MatcherSets.FromInterface","MatcherSets.String","ParseCaddyfileNestedMatcherSet","ParseNamedResponseMatcher","PrepareRequest","ResponseHandler.Provision","ResponseMatcher.Match","ResponseWriterWrapper.Push","ResponseWriterWrapper.ReadFrom","Route.Provision","Route.ProvisionHandlers","Route.ProvisionMatchers","Route.String","RouteList.Provision","RouteList.ProvisionHandlers","RouteList.ProvisionMatchers","Server.ServeHTTP","StaticError.ServeHTTP","StaticError.UnmarshalCaddyfile","StaticIPRange.Provision","StaticResponse.ServeHTTP","StaticResponse.UnmarshalCaddyfile","StringArray.UnmarshalJSON","Subroute.Provision","Subroute.ServeHTTP","VarsMatcher.CELLibrary","VarsMatcher.Match","VarsMatcher.MatchWithError","VarsMatcher.UnmarshalCaddyfile","VarsMiddleware.ServeHTTP","VarsMiddleware.UnmarshalCaddyfile","WeakString.MarshalJSON","WeakString.UnmarshalJSON"],"path":"github.com/caddyserver/caddy/v2/modules/caddyhttp"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4541.json"}}],"schema_version":"1.7.5"}