Cross-site request forgery in Caddy - CVE-2026-27589
Published: April 27, 2026
Vulnerability identifier: #VU128032
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-27589
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Caddy
Affected software:
Caddy
Caddy
Detailed vulnerability description
The vulnerability allows a remote attacker to apply an arbitrary configuration and alter server behavior.
The vulnerability exists due to cross-site request forgery in the /load admin endpoint when processing cross-origin requests to the local admin API with origin enforcement disabled. A remote attacker can cause a victim browser to send a specially crafted request to apply an arbitrary configuration and alter server behavior.
User interaction is required, and exploitation requires Caddy to be running with the local admin API enabled and origin enforcement not configured.
How to mitigate CVE-2026-27589
Install security update from vendor's website.