Описание
Caddy is vulnerable to cross-origin config application via local admin API /load
commit: e0f8d9b2047af417d8faf354b675941f3dac9891 (as-of 2026-02-04) channel: GitHub security advisory (per SECURITY.md)
summary
The local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration.
When origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. this can change the admin listener settings and alter HTTP server behavior without user intent.
Severity
Medium
Justification:
- The attacker can apply an arbitrary caddy config (integrity impact) by driving a victim’s local admin API.
- Exploitation requires a victim running caddy with the admin API enabled and visiting an attacker-controlled page (or otherwise issuing the request from an untrusted local client).
Affected component
caddyconfig/load.go: adminLoad.handleLoad(/loadadmin endpoint)- Pinned callsite: https://github.com/caddyserver/caddy/blob/e0f8d9b2047af417d8faf354b675941f3dac9891/caddyconfig/load.go#L73
Reproduction
Attachment: poc.zip (integration harness) with canonical and control runs.
Expected output (excerpt):
Control output (excerpt):
Impact
An attacker can replace the running caddy configuration via the local admin API. Depending on the deployed configuration/modules, this can:
- Change admin listener settings (e.g., move the admin listener to a new address)
- Change HTTP server behavior (e.g., alter routes/responses)
Suggested remediation
Ensure cross-origin web content cannot trigger POST /load on the local admin API by default, for example by:
- Enabling origin enforcement by default for unsafe methods, and/or
- Requiring an unguessable token for
/load(and other state-changing admin endpoints).
Ссылки
- https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2
- https://nvd.nist.gov/vuln/detail/CVE-2026-27589
- https://github.com/caddyserver/caddy/commit/65e0ddc22137bbbaa68c842ae0b98d0548504545
- https://github.com/caddyserver/caddy/releases/tag/v2.11.1
- https://github.com/user-attachments/files/25079818/poc.zip
- https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md
- https://pkg.go.dev/vuln/GO-2026-4537
Пакеты
github.com/caddyserver/caddy/v2
< 2.11.1
2.11.1
Связанные уязвимости
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Caddy is an extensible server platform that uses TLS by default. Prior ...