NIXPKGS-2026-0355

GitHub issue published on 27 Feb 2026

Permalink CVE-2026-27586

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 3 days ago
@LeSuisse removed
7 packages
- xcaddy
- caddyfile-language-server
- vimPlugins.nvim-treesitter-parsers.caddy
- tree-sitter-grammars.tree-sitter-caddyfile
- vscode-extensions.matthewpi.caddyfile-support
- python313Packages.tree-sitter-grammars.tree-sitter-caddyfile
- python314Packages.tree-sitter-grammars.tree-sitter-caddyfile
3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse removed
4 maintainers
- @ryan4yin
- @techknowlogick
- @Br1ght0ne
- @stepbrobd
3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Caddy's mTLS client authentication silently fails open when CA certificate file is missing or malformed

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.

References

https://gist.github.com/moscowchill/9566c79c76c0b64c57f8bd0716f97c48 x_refsource_MISC
https://github.com/caddyserver/caddy/releases/tag/v2.11.1 x_refsource_MISC
https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7 x_refsource_CONFIRM

Affected products

caddy

==< 2.11.1

Matching in nixpkgs

pkgs.caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

nixos-unstable 2.10.2
- nixpkgs-unstable 2.10.2
- nixos-unstable-small 2.11.1
nixos-25.11 2.10.2
- nixos-25.11-small 2.10.2
- nixpkgs-25.11-darwin 2.10.2

Ignored packages (7)

pkgs.xcaddy

Build Caddy with plugins

nixos-unstable 0.4.5
- nixpkgs-unstable 0.4.5
- nixos-unstable-small 0.4.5
nixos-25.11 0.4.5
- nixos-25.11-small 0.4.5
- nixpkgs-25.11-darwin 0.4.5

pkgs.caddyfile-language-server

Basic language server for caddyfile

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0

pkgs.vimPlugins.nvim-treesitter-parsers.caddy

None

nixos-unstable 0.0.0+rev=2686186
- nixpkgs-unstable 0.0.0+rev=2686186
- nixos-unstable-small 0.0.0+rev=2686186
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.tree-sitter-grammars.tree-sitter-caddyfile

Tree-sitter grammar for caddyfile

nixos-unstable 0-unstable-2025-12-16
- nixpkgs-unstable 0-unstable-2025-12-16
- nixos-unstable-small 0-unstable-2025-12-16

pkgs.vscode-extensions.matthewpi.caddyfile-support

Rich Caddyfile support for Visual Studio Code

nixos-unstable 0.4.0
- nixpkgs-unstable 0.4.0
- nixos-unstable-small 0.4.0
nixos-25.11 0.4.0
- nixos-25.11-small 0.4.0
- nixpkgs-25.11-darwin 0.4.0

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-caddyfile

Python bindings for tree-sitter-caddyfile

nixos-unstable 0+unstable20251216
- nixpkgs-unstable 0+unstable20251216
- nixos-unstable-small 0+unstable20251216

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-caddyfile