Sign-up

ID

VAR-202602-2870


CVE

CVE-2026-27589


TITLE

Light Code Labs of Caddy Cross-site request forgery vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-005157

DESCRIPTION

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue. HTTP You can change the server's behavior. 2.11.1 contains a fix for this issue.There is no risk of information being leaked to the outside world regarding the information handled by the software. However, there is a possibility that all information handled by the software may be rewritten. Furthermore, the software will not shut down. Furthermore, attacks that exploit this vulnerability will not affect other software

Trust: 1.62

sources: NVD: CVE-2026-27589 // JVNDB: JVNDB-2026-005157

AFFECTED PRODUCTS

vendor:caddyservermodel:caddyscope:ltversion:2.11.1

Trust: 1.0

vendor:light codemodel:caddyscope:eqversion:2.11.1

Trust: 0.8

vendor:light codemodel:caddyscope: - version: -

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2026-005157 // NVD: CVE-2026-27589

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2026-27589
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2026-27589
value: MEDIUM

Trust: 1.0

NVD: CVE-2026-27589
value: MEDIUM

Trust: 0.8

nvd@nist.gov: CVE-2026-27589
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2026-27589
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-005157 // NVD: CVE-2026-27589 // NVD: CVE-2026-27589

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.0

problemtype:Cross-site request forgery (CWE-352) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-005157 // NVD: CVE-2026-27589

PATCH

title:cross-origin config application via local admin API /load (caddy)  Advisory  caddyserver/caddy  GitHub (PR_DESCRIPTION.md) GitHub Advisory Databaseurl:https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md

Trust: 0.8

sources: JVNDB: JVNDB-2026-005157

EXTERNAL IDS

db:NVDid:CVE-2026-27589

Trust: 2.6

db:JVNDBid:JVNDB-2026-005157

Trust: 0.8

sources: JVNDB: JVNDB-2026-005157 // NVD: CVE-2026-27589

REFERENCES

url:https://github.com/user-attachments/files/25079818/poc.zip

Trust: 1.8

url:https://github.com/caddyserver/caddy/releases/tag/v2.11.1

Trust: 1.8

url:https://github.com/user-attachments/files/25079820/pr_description.md

Trust: 1.0

url:https://github.com/caddyserver/caddy/security/advisories/ghsa-879p-475x-rqh2

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-27589

Trust: 0.8

sources: JVNDB: JVNDB-2026-005157 // NVD: CVE-2026-27589

SOURCES

db:JVNDBid:JVNDB-2026-005157
db:NVDid:CVE-2026-27589

LAST UPDATE DATE

2026-02-28T23:57:27.212000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-005157date:2026-02-27T03:42:00
db:NVDid:CVE-2026-27589date:2026-02-25T17:08:56.040

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-005157date:2026-02-27T00:00:00
db:NVDid:CVE-2026-27589date:2026-02-24T17:29:04.317