DEBIAN-CVE-2026-27589

DEBIAN-CVE-2026-27589 PUBLISHED CVSS 6.5 MEDIUM

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.

Risk Scores

CVSS v3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected Products

Vendor	Product	Versions
Debian:14	caddy	0, 2.6.2-14, 2.6.2-13
Debian:12	caddy	2.6.2-9, 2.6.2-10, 2.6.2-11
Debian:13	caddy	2.6.2-14, 2.6.2-13, 2.6.2-12

Timeline

Feb 24, 2026 CVE Published
Apr 30, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-27589 advisory

Open in Interactive Console →