TLS
CVE-2026-27589
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
AnalysisAI
Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.
Technical ContextAI
Classified as CWE-352 (Cross-Site Request Forgery (CSRF)). Affects Caddy. Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the a
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromis
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in Cli
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casi
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using altern
Alist file manager has an improper certificate validation vulnerability allowing MITM attacks that could compromise file
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, e
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS ce
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows re
SumatraPDF versions 3.5.0 through 3.5.2 fail to validate TLS certificates during software updates and execute installers
EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system's
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-879p-475x-rqh2