github caddyserver/caddy v2.11.1
on GitHub

19 hours ago

Our community is pleased to announce Caddy 2.11! Of note are new features, numerous bug fixes including several security patches, and various QoL ("quality-of-life") enhancements.

There are no code changes from v2.11.0 other than to a CI job. Due to a recent external change that broke our release process, the first release of 2.11 is v2.11.1.

Special Sponsor Shoutout

Extra big thanks to our major sponsors:

They, along with dozens of smaller sponsors, make this project and new releases possible, together with our maintainer team. Thank you all!

Notable changes

  • Encrypted ClientHello (ECH) keys are rotated automatically.
  • Time-rolling options for logs.
  • SIGUSR1 can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API.
  • Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#7454)
  • log_append can now log request and response bodies, useful for debugging.
  • Our project now implements and requires Assistance Disclosures (for AI/LLMs) on issues, PRs, comments, replies, reviews, etc.
  • Many, many other minor improvements and bug fixes.

Thank you to everyone who was involved this release!

⚠️ Security patches

  • fastcgi: CVE-2026-27590 by @dunglas and @AbdrrahimDahmani - Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport.
  • admin: CVE-2026-27589 by @1seal - Cross-origin requests attempted with no-cors mode could cause some API requests to succeed; such requests are now blocked. (In order for this to be practically exploitable, a web browser executing a malicious web page must be running locally to a production Caddy process.)
  • caddyhttp: CVE-2026-27588 by Asim Viladi Oglu Manizada - The Host matcher becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass.
  • caddyhttp: CVE-2026-27587 by Asim Viladi Oglu Manizada - The Path matcher skips case normalization for escape sequences, enabling path-based route/auth bypass.
  • caddytls: CVE-2026-27586 by @moscowchill - TLS client authentication silently fails open when CA certificate file is missing or malformed.
  • caddyhttp: CVE-2026-27585 by @parrot409 - Improper sanitization of glob characters in file matcher may lead to bypassing security protections.

🚨 Notice for Caddy plugin maintainers: Dependabot will probably alert you to the security fixes in Caddy and urge you to upgrade it in your go.mod file. Please ONLY upgrade the Caddy dependency if there's a change to an exported API your plugin uses. (Then, turn Dependabot off.)

What's Changed

New Contributors

Full Changelog: v2.10.2...v2.11.1

Check out latest releases or
releases around caddyserver/caddy v2.11.1

Don't miss a new caddy release

NewReleases is sending notifications on new releases.

Get notifications