CVE-2026-27589

Name of the Vulnerable Software and Affected Versions Caddy versions prior to 2.11.1

Description The local Caddy admin API, listening by default on 127.0.0.1:2019, includes a POST /load endpoint that allows replacing the entire running configuration. When origin enforcement is not enabled (enforce origin not configured), this endpoint accepts cross-origin requests, potentially from attacker-controlled web content in a victim's browser. This allows an attacker to apply an attacker-supplied JSON config, altering HTTP server behavior without user intent. The vulnerable component is the adminLoad.handleLoad function located at caddyconfig/load.go (specifically, the /load admin endpoint). An attacker can change admin listener settings or alter HTTP server behavior by exploiting this issue.

Recommendations Versions prior to 2.11.1: Ensure cross-origin web content cannot trigger POST /load on the local admin API. Enable origin enforcement for unsafe methods. Alternatively, require an unguessable token for /load and other state-changing admin endpoints.