CVE-2026-27589 Overview
CVE-2026-27589 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Caddy, an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local Caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests from attacker-controlled web content in a victim's browser and applies an attacker-supplied JSON configuration. This can change the admin listener settings and alter HTTP server behavior without user intent.
Critical Impact
An attacker can leverage CSRF to completely replace the Caddy server configuration via the admin API, potentially redirecting traffic, exposing sensitive data, or disrupting service availability.
Affected Products
- Caddyserver Caddy versions prior to 2.11.1
Discovery Timeline
- 2026-02-24 - CVE-2026-27589 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27589
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The Caddy web server includes a built-in admin API that listens on 127.0.0.1:2019 by default. This API provides powerful configuration management capabilities, including a POST /load endpoint that allows complete replacement of the running server configuration with a new JSON-based configuration.
The core issue stems from insufficient origin validation on state-changing API endpoints. When the enforce_origin option is not explicitly configured, the admin API accepts requests regardless of their origin. This means that if a user with access to the Caddy server (such as an administrator browsing locally) visits a malicious website, that website can craft JavaScript code to send requests to the local admin API endpoint.
Since the request originates from the victim's browser, it targets localhost:2019 and bypasses network-level protections. The attacker-supplied JSON configuration is then applied to the running Caddy instance, giving the attacker full control over the server's behavior.
Root Cause
The root cause is the lack of default origin enforcement on the Caddy admin API. The POST /load endpoint performs a state-changing operation (replacing the entire server configuration) but does not require proper origin validation or CSRF tokens when enforce_origin is not configured. This allows cross-origin requests from malicious web content to successfully interact with the API.
Attack Vector
The attack requires the victim to be browsing the web from a machine where Caddy is running with the admin API enabled and accessible on localhost. The attacker hosts malicious web content (e.g., a webpage with embedded JavaScript) that makes cross-origin requests to http://127.0.0.1:2019/load with a crafted JSON payload. When the victim visits the attacker's page, the browser executes the malicious JavaScript, which sends requests to the local Caddy admin API. Since the admin API does not validate the origin, it accepts and applies the attacker's configuration.
The attacker can use this to modify the HTTP server behavior, change admin listener settings, redirect traffic to attacker-controlled servers, inject malicious responses, or disable TLS protections. Technical details and a proof-of-concept are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-27589
Indicators of Compromise
- Unexpected configuration changes to the Caddy server without administrator action
- Unusual requests to the POST /load endpoint in admin API access logs
- Configuration entries pointing to unknown or suspicious upstream servers
- Modified admin listener settings or binding addresses
Detection Strategies
- Monitor admin API access logs for requests to /load endpoint originating from unexpected sources
- Implement network monitoring for traffic to 127.0.0.1:2019 from browser processes
- Review Caddy configuration files for unauthorized modifications
- Deploy endpoint detection rules to identify JavaScript making requests to local admin APIs
Monitoring Recommendations
- Enable verbose logging on the Caddy admin API to capture all configuration change requests
- Implement file integrity monitoring on Caddy configuration files
- Set up alerts for any configuration reload events that weren't initiated through approved processes
- Monitor for browser-based network connections to localhost admin ports
How to Mitigate CVE-2026-27589
Immediate Actions Required
- Upgrade Caddy to version 2.11.1 or later immediately
- Enable enforce_origin in the admin API configuration as an interim measure
- Review current Caddy configuration for any unauthorized changes
- Consider disabling the admin API if not required for operations
Patch Information
The vulnerability has been fixed in Caddy version 2.11.1. Users should upgrade to this version or later to receive the security fix. The patch implements proper origin enforcement to prevent cross-origin requests from being accepted by the admin API. For more details, see the Caddy v2.11.1 release notes and the GitHub Security Advisory.
Workarounds
- Configure enforce_origin in the admin block to validate request origins
- Restrict the admin API to only accept connections from trusted sources using firewall rules
- Disable the admin API entirely by setting admin off in the Caddyfile if administrative access is not needed
- Use network segmentation to isolate systems running Caddy from untrusted browser traffic
# Caddyfile configuration to enable origin enforcement
{
admin :2019 {
enforce_origin
origins localhost:2019 127.0.0.1:2019
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
