{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27589", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T17:40:28.450Z", "datePublished": "2026-02-24T16:30:52.016Z", "dateUpdated": "2026-02-27T20:51:24.110Z"}, "containers": {"cna": {"title": "Caddy vulnerable to cross-origin config application via local admin API /load (caddy)", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2"}, {"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}, {"name": "https://github.com/user-attachments/files/25079818/poc.zip", "tags": ["x_refsource_MISC"], "url": "https://github.com/user-attachments/files/25079818/poc.zip"}, {"name": "https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md", "tags": ["x_refsource_MISC"], "url": "https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md"}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"version": "< 2.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:31:35.510Z"}, "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue."}], "source": {"advisory": "GHSA-879p-475x-rqh2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T20:51:17.015647Z", "id": "CVE-2026-27589", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:51:24.110Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27589", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T20:51:17.015647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T20:51:20.985Z"}}], "cna": {"title": "Caddy vulnerable to cross-origin config application via local admin API /load (caddy)", "source": {"advisory": "GHSA-879p-475x-rqh2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"status": "affected", "version": "< 2.11.1"}]}], "references": [{"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2", "name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/user-attachments/files/25079818/poc.zip", "name": "https://github.com/user-attachments/files/25079818/poc.zip", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md", "name": "https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T16:31:35.510Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27589", "state": "PUBLISHED", "dateUpdated": "2026-02-27T20:51:24.110Z", "dateReserved": "2026-02-20T17:40:28.450Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T16:30:52.016Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AD1B432-AFA3-4A05-A687-F6092CDB6498", "versionEndExcluding": "2.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue."}], "id": "CVE-2026-27589", "lastModified": "2026-02-25T17:08:56.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T17:29:04.317", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/user-attachments/files/25079818/poc.zip"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "caddy", "source": "cna", "vendor": "caddyserver"}, "product": "caddy", "vendor": "caddyserver"}], "analysis": {"en": {"generated_at": "2026-04-16T16:23:04.457315+00:00", "value": {"mitigation_remediation": ["Upgrade Caddy to version 2.11.1 or later.", "Configure the admin server with enforce_origin to reject cross\u2011origin requests.", "Restrict the admin API to trusted hosts using firewall rules or binding to a private interface.", "If the admin endpoint is not required, disable it completely."], "summary": {"action": "Apply Patch", "impact": "Unauthorized configuration changes via cross\u2011origin requests"}, "threat_synthesis": {"affected_systems": "caddyserver caddy versions prior to 2.11.1. The vulnerability affects all builds that expose the local admin API on 127.0.0.1:2019 without origin enforcement.", "description_and_impact": "This vulnerability allows an attacker to send a POST /load request to the local Caddy admin API, which replaces the server\u2019s entire configuration. When the admin server has no origin policy enabled, the endpoint accepts cross\u2011origin requests from arbitrary web content. The attacker can supply a malicious JSON configuration that alters listener settings or HTTP behavior, effectively modifying Caddy without the user\u2019s consent. The weakness is a broken request forgery protection (CWE\u2011352).", "risk_and_exploitability": "CVSS 6.9 indicates a medium\u2011to\u2011high severity. The EPSS score is below 1\u00a0%, meaning the probability of exploitation is low but not zero. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Attackers would need to trick a victim into loading malicious web content that issues a POST /load request to localhost:2019. The assumption is that the victim\u2019s browser will honour cross\u2011origin POSTs to the admin API, which has no origin check. Once the attack succeeds, the attacker can permanently modify the configuration of Caddy, potentially redirecting traffic, injecting headers, or disabling security features."}}}}, "created": "2026-02-25T11:38:39.731079+00:00", "updated": "2026-04-16T16:30:15.937400+00:00", "vendors": ["caddyserver", "caddyserver$PRODUCT$caddy"]}