CVE-2026-27589 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Caddy web server platform versions prior to 2.11.1. Caddy is an extensible server that uses TLS by default and includes a local administrative API listening on 127.0.0.1:2019. This API exposes a state-changing POST /load endpoint that allows replacing the entire running configuration of the server. The vulnerability arises when the 'enforce_origin' configuration is not enabled, causing the admin API to accept cross-origin requests. An attacker can exploit this by hosting malicious web content that a victim accesses, causing the victim's browser to send unauthorized POST requests to the local admin API. These requests can include attacker-supplied JSON configurations that modify the server's behavior, including changing admin listener settings or HTTP server configurations, without the user's knowledge or consent. The vulnerability does not require authentication or user interaction beyond visiting a malicious web page, making it relatively easy to exploit in environments where the admin API is accessible. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, but high impact on integrity due to unauthorized configuration changes. The vulnerability was addressed in Caddy version 2.11.1 by enabling origin enforcement on the admin API, preventing cross-origin requests from unauthorized sources. No known exploits have been reported in the wild as of the publication date. However, the potential for unauthorized configuration changes poses significant risk to server integrity and security posture. Organizations running vulnerable versions should update promptly and consider additional network-level restrictions to the admin API endpoint.

The primary impact of CVE-2026-27589 is unauthorized modification of the Caddy server's configuration via the local admin API. This can lead to significant integrity violations, including altering server behavior, changing listener settings, or disabling security features. Such unauthorized changes can facilitate further attacks, such as redirecting traffic, enabling malicious modules, or exposing sensitive data. Since the admin API listens on localhost by default, the attack requires the victim to access attacker-controlled web content, which can be feasible in environments where users browse untrusted sites. The vulnerability does not directly impact confidentiality or availability but can indirectly lead to data exposure or service disruption if attackers modify configurations maliciously. The ease of exploitation without authentication and user interaction (beyond visiting a malicious page) increases risk in environments with vulnerable Caddy deployments. Organizations relying on Caddy for web services, especially those exposing local admin APIs without strict origin enforcement or network restrictions, face increased risk of compromise and operational disruption.

1. Upgrade Caddy to version 2.11.1 or later, which includes the fix enabling origin enforcement on the admin API to prevent cross-origin requests. 2. If immediate upgrade is not possible, manually enable 'enforce_origin' configuration on the admin API to restrict accepted request origins. 3. Restrict access to the admin API endpoint (127.0.0.1:2019) using firewall rules or network segmentation to prevent unauthorized access from untrusted sources. 4. Employ browser security policies such as Content Security Policy (CSP) to limit the ability of attacker-controlled web content to make requests to localhost addresses. 5. Monitor server logs for unexpected POST /load requests or configuration changes to detect potential exploitation attempts. 6. Educate users about the risks of visiting untrusted websites that could host malicious content triggering CSRF attacks. 7. Consider running the admin API on a non-default interface or port with strict access controls to reduce exposure. 8. Regularly audit server configurations and access controls to ensure no unauthorized changes have occurred.