CVE-2026-27589: Caddy is vulnerable to cross-origin config application via local admin API /load
(updated )
The local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration.
When origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. this can change the admin listener settings and alter HTTP server behavior without user intent.
References
- github.com/advisories/GHSA-879p-475x-rqh2
- github.com/caddyserver/caddy
- github.com/caddyserver/caddy/commit/65e0ddc22137bbbaa68c842ae0b98d0548504545
- github.com/caddyserver/caddy/releases/tag/v2.11.1
- github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2
- github.com/user-attachments/files/25079818/poc.zip
- github.com/user-attachments/files/25079820/PR_DESCRIPTION.md
- nvd.nist.gov/vuln/detail/CVE-2026-27589
- pkg.go.dev/vuln/GO-2026-4537
Code Behaviors & Features
Detect and mitigate CVE-2026-27589 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →