Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Published: 2026-02-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes via cross‑origin requests
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an attacker to send a POST /load request to the local Caddy admin API, which replaces the server’s entire configuration. When the admin server has no origin policy enabled, the endpoint accepts cross‑origin requests from arbitrary web content. The attacker can supply a malicious JSON configuration that alters listener settings or HTTP behavior, effectively modifying Caddy without the user’s consent. The weakness is a broken request forgery protection (CWE‑352).

Affected Systems

caddyserver caddy versions prior to 2.11.1. The vulnerability affects all builds that expose the local admin API on 127.0.0.1:2019 without origin enforcement.

Risk and Exploitability

CVSS 6.9 indicates a medium‑to‑high severity. The EPSS score is below 1 %, meaning the probability of exploitation is low but not zero. The vulnerability is not currently listed in CISA’s KEV catalog. Attackers would need to trick a victim into loading malicious web content that issues a POST /load request to localhost:2019. The assumption is that the victim’s browser will honour cross‑origin POSTs to the admin API, which has no origin check. Once the attack succeeds, the attacker can permanently modify the configuration of Caddy, potentially redirecting traffic, injecting headers, or disabling security features.

Generated by OpenCVE AI on April 16, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Caddy to version 2.11.1 or later.
  • Configure the admin server with enforce_origin to reject cross‑origin requests.
  • Restrict the admin API to trusted hosts using firewall rules or binding to a private interface.
  • If the admin endpoint is not required, disable it completely.

Generated by OpenCVE AI on April 16, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-879p-475x-rqh2 Caddy is vulnerable to cross-origin config application via local admin API /load
History

Fri, 27 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 24 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Title Caddy vulnerable to cross-origin config application via local admin API /load (caddy)
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T20:51:24.110Z

Reserved: 2026-02-20T17:40:28.450Z

Link: CVE-2026-27589

cve-icon Vulnrichment

Updated: 2026-02-27T20:51:20.985Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T17:29:04.317

Modified: 2026-02-25T17:08:56.040

Link: CVE-2026-27589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses