Caddy Server Vulnerability Exposes Admin API to Unauthorized Configuration Changes
CVE-2026-27589

6.9MEDIUM

Key Information:

Vendor

Caddyserver

Status
Caddy
Vendor
CVE Published:
24 February 2026

What is CVE-2026-27589?

The Caddy Server is an extensible platform that uses TLS by default. A vulnerability prior to version 2.11.1 allows the local admin API at 127.0.0.1:2019 to accept unauthenticated cross-origin requests on the POST /load endpoint. This misconfiguration can let an attacker execute unauthorized changes to the server's running configuration by sending a crafted JSON payload. As a result, an attacker can manipulate admin settings and influence server behavior without the user's knowledge. The Caddy team released version 2.11.1 to remediate this issue, urging all users to update promptly.

Affected Version(s)

caddy < 2.11.1

References

https://github.com/caddyserver/caddy/security/advisories/...
x_refsource_CONFIRM
https://github.com/caddyserver/caddy/releases/tag/v2.11.1
x_refsource_MISC
https://github.com/user-attachments/files/25079818/poc.zip
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.