CVE-2026-27589
Received Received - Intake
Cross-Origin Request Vulnerability in Caddy Admin API Allows Configuration Manipulation

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27589
EUVD
EUVD-2026-8543
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
caddyserver caddy to 2.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27589 is a vulnerability in the Caddy web server's local admin API, specifically in the POST /load endpoint that replaces the entire running configuration."}, {'type': 'paragraph', 'content': "By default, the admin API listens on 127.0.0.1:2019 and does not enforce origin checks (enforce_origin is not enabled). This allows attacker-controlled web content running in a victim's browser or an untrusted local client to send cross-origin POST requests to the /load endpoint."}, {'type': 'paragraph', 'content': 'Because the /load endpoint accepts and applies attacker-supplied JSON configuration data without proper verification, an attacker can arbitrarily modify the running Caddy configuration. This includes changing admin listener settings and altering HTTP server behavior without user consent.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue due to insufficient verification that requests are intentionally made by the user.'}, {'type': 'paragraph', 'content': 'A fix was introduced in Caddy version 2.11.1 by enabling origin enforcement or requiring unguessable tokens for state-changing admin endpoints to prevent unauthorized cross-origin requests.'}] [1, 3]

Impact Analysis

This vulnerability can have a high-severity impact on the integrity of your Caddy server configuration.

An attacker who exploits this vulnerability can change the running configuration of your Caddy server without your knowledge or consent.

  • They can modify admin listener settings, potentially moving the admin API to a new address.
  • They can alter HTTP server behavior, such as changing routes and responses.

Such unauthorized changes can lead to loss of control over the server, unauthorized access, or disruption of service.

Exploitation requires that the victim is running a vulnerable Caddy version with the admin API enabled and either visits an attacker-controlled web page or an untrusted local client issues a request.

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by verifying if the Caddy server's local admin API is running and listening on the default address 127.0.0.1:2019 and if the origin enforcement is disabled (enforce_origin not configured)."}, {'type': 'paragraph', 'content': 'One approach is to check if the /load endpoint accepts cross-origin POST requests that replace the running configuration without proper origin checks.'}, {'type': 'paragraph', 'content': 'A proof-of-concept (PoC) includes scripts to verify the vulnerability by sending POST requests with attacker-controlled origin headers to the /load endpoint and observing if the configuration changes are applied.'}, {'type': 'list_item', 'content': 'Check if Caddy admin API is listening on 127.0.0.1:2019 (e.g., using netstat or ss): `netstat -tuln | grep 2019`'}, {'type': 'list_item', 'content': 'Attempt to fetch current configuration: `curl http://127.0.0.1:2019/config/`'}, {'type': 'list_item', 'content': 'Test POST request to /load endpoint with a crafted JSON config and an attacker-controlled Origin header to see if the server accepts and applies it.'}, {'type': 'list_item', 'content': 'Use provided PoC scripts (e.g., `make verify` in the extracted poc.zip) to automate detection and verification of the vulnerability.'}] [1, 2, 3]

Mitigation Strategies

Immediate mitigation steps include enabling origin enforcement on the Caddy admin API to prevent cross-origin requests from unauthorized sources.

Specifically, configure the admin API to enforce origin checks for unsafe HTTP methods like POST, which prevents attacker-controlled web content from sending malicious configuration changes.

Alternatively or additionally, require an unguessable token for the /load endpoint and other state-changing admin endpoints to restrict access.

Upgrading Caddy to version 2.11.1 or later, where this vulnerability is fixed, is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27589. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart