Primary

Context

Caddy TLS Client Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Caddy web server versions prior to 0.10.13 allows for an authentication bypass in TLS client authentication. This issue arises from the absence of the StrictHostMatching mode, which is necessary to ensure proper client authentication handling. As a result, the vulnerability could be exploited to bypass authentication requirements under certain conditions.

Impact

Exploitation of this vulnerability could lead to unauthorized access by bypassing TLS client authentication, allowing clients to authenticate without presenting valid credentials.

Remediation

Users are advised to upgrade to Caddy version 0.10.13 or later, where this vulnerability has been addressed. However, note that version 0.10.13 has a separate issue with obtaining certificates due to a bug; version 0.10.14 resolves this certificate issue.

Added: Mar 24, 2026, 10:19 AM

Updated: Mar 24, 2026, 10:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Caddy TLS Client Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Caddy

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating