CVE-2026-27589

Publication date 24 February 2026

Last updated 27 February 2026

Ubuntu priority

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
caddy	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-27589
https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2
https://github.com/caddyserver/caddy/releases/tag/v2.11.1
https://github.com/user-attachments/files/25079818/poc.zip
https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md