VYPR
Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 27, 2026

Caddy vulnerable to cross-origin config application via local admin API /load (caddy)

CVE-2026-27589

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/caddyserver/caddy/v2Go
< 2.11.12.11.1

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.