Adrian Denkiewicz of Doyensec has reported a bug affecting some Caddy versions v2.6.2 and earlier that could reveal files described by the hide parameter of the file_server handler if a client crafts a request using ADS paths.
This bug was fixed here:
And was mentioned in the release notes which were announced then. The bug affected only Windows deployments.
Thank you to Adrian for the report and helping verify the fix!