CVE-2026-27589Cross-Site Request Forgery in Caddy

CWE-352Cross-Site Request Forgery8 documents6 sources
Severity
6.9MEDIUMNVD
EPSS
0.0%
top 93.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Caddyserver CaddyGithub.com Caddyserver Caddy V2
Timeline
PublishedFeb 24
Latest updateFeb 26

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the a

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5caddyserver/caddy< 2.11.1
NVDcaddyserver/caddy< 2.11.1

🔴Vulnerability Details

5
OSV
Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v22026-02-26
GHSA
Caddy is vulnerable to cross-origin config application via local admin API /load2026-02-24
CVEList
Caddy vulnerable to cross-origin config application via local admin API /load (caddy)2026-02-24
OSV
CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default2026-02-24
OSV
Caddy is vulnerable to cross-origin config application via local admin API /load2026-02-24

📋Vendor Advisories

1
Debian
CVE-2026-27589: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27589 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27589 — Cross-Site Request Forgery in Caddy | cvebase