CVE-2026-27589

Caddy vulnerable to cross-origin config application via local admin API /load (caddy)

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.

INFO

Published Date :

2026-02-24T16:30:52.016Z

Last Modified :

2026-02-27T20:51:24.110Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-27589 vulnerability.

Vendors	Products
Caddyserver	Caddy

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27589.

URL	Resource
https://github.com/caddyserver/caddy/releases/tag/v2.11.1
https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2
https://github.com/user-attachments/files/25079818/poc.zip
https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact