CVE-2026-27589
published 2026-02-24CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a…
PriorityP335medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
0.17%
6.2th percentile
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | < 2.11.1 | 2.11.1 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy_v2 | >= 0 < 2.11.1 | 2.11.1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-27589: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
vendor_debian·2026·CVSS 6.9
CVE-2026-27589 [MEDIUM] CVE-2026-27589: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Scope: local
bookworm: open
sid: open
trixie: open
OSV
Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v2
osv·2026-02-26
CVE-2026-27589 Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v2
Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v2
Caddy is vulnerable to cross-origin config application via local admin API /load in github.com/caddyserver/caddy/v2
GHSA
Caddy is vulnerable to cross-origin config application via local admin API /load
ghsa·2026-02-24
CVE-2026-27589 [MEDIUM] CWE-352 Caddy is vulnerable to cross-origin config application via local admin API /load
Caddy is vulnerable to cross-origin config application via local admin API /load
commit: e0f8d9b2047af417d8faf354b675941f3dac9891 (as-of 2026-02-04)
channel: GitHub security advisory (per SECURITY.md)
## summary
The local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration.
When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. this can change the admin listener settings and alter HTTP server behavior without user intent.
## Severity
Medium
Justification:
- The attacker can apply an arbitrary caddy config (integrity
OSV
CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default
osv·2026-02-24·CVSS 6.9
CVE-2026-27589 [MEDIUM] CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
OSV
Caddy is vulnerable to cross-origin config application via local admin API /load
osv·2026-02-24
CVE-2026-27589 [MEDIUM] Caddy is vulnerable to cross-origin config application via local admin API /load
Caddy is vulnerable to cross-origin config application via local admin API /load
commit: e0f8d9b2047af417d8faf354b675941f3dac9891 (as-of 2026-02-04)
channel: GitHub security advisory (per SECURITY.md)
## summary
The local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration.
When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. this can change the admin listener settings and alter HTTP server behavior without user intent.
## Severity
Medium
Justification:
- The attacker can apply an arbitrary caddy config (integrity
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all]
bugzilla·2026-06-12·CVSS 6.5
CVE-2026-27589 [MEDIUM] CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all]
CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [fedora-all]
+++ This bug was initially created as a clone of Bug #2442428 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [epel-all]
bugzilla·2026-02-24·CVSS 6.5
CVE-2026-27589 [MEDIUM] CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [epel-all]
CVE-2026-27589 caddy: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27589 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API
bugzilla·2026-02-24·CVSS 6.5
CVE-2026-27589 [MEDIUM] CVE-2026-27589 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API
CVE-2026-27589 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Unauthorized configuration modification via cross-origin requests to the admin API
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Wiz
CVE-2026-27589 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27589 [MEDIUM] CVE-2026-27589 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27589 :
NixOS vulnerability analysis and mitigation
127.0.0.1:2019
POST /load
enforce_origin
Source : NVD
## 6.9
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
NixOS
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/caddyserver/caddy/v2
caddy
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 02, 2026
Chainguard Has Fix Added at: Feb 24, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Feb 24, 2026
Echo Severity MEDIUM No Fix Added at: Feb
2026-02-24
Published