Fluid Attacks Database

Description

Caddy is vulnerable to cross-origin config application via local admin API /load commit: e0f8d9b2047af417d8faf354b675941f3dac9891 (as-of 2026-02-04) channel: GitHub security advisory (per SECURITY.md)

summary

The local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration.

When origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. this can change the admin listener settings and alter HTTP server behavior without user intent.

Severity

Medium

Justification:

The attacker can apply an arbitrary caddy config (integrity impact) by driving a victim’s local admin API.

Exploitation requires a victim running caddy with the admin API enabled and visiting an attacker-controlled page (or otherwise issuing the request from an untrusted local client).

Affected component

caddyconfig/load.go: adminLoad.handleLoad (/load admin endpoint)

Pinned callsite: https://github.com/caddyserver/caddy/blob/e0f8d9b2047af417d8faf354b675941f3dac9891/caddyconfig/load.go#L73

Reproduction

Attachment: poc.zip (integration harness) with canonical and control runs.

unzip -q -o poc.zip -d poc
cd poc/poc-F-CADDY-ADMIN-LOAD-001
make test

Expected output (excerpt):

[CALLSITE_HIT]: adminLoad.handleLoad
[PROOF_MARKER]: http_code=200 admin_moved=true response_pwned=true

Control output (excerpt):

[NC_MARKER]: http_code=403 load_blocked=true admin_moved=false response_pwned=false

Impact

An attacker can replace the running caddy configuration via the local admin API. Depending on the deployed configuration/modules, this can:

Change admin listener settings (e.g., move the admin listener to a new address)

Change HTTP server behavior (e.g., alter routes/responses)

Suggested remediation

Ensure cross-origin web content cannot trigger POST /load on the local admin API by default, for example by:

Enabling origin enforcement by default for unsafe methods, and/or

Requiring an unguessable token for /load (and other state-changing admin endpoints).

poc.zip PR_DESCRIPTION.md

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/caddyserver/caddy/v2	>=0 <2.11.1	2.11.1
debian 13	caddy	=2.11.2-1 \|\| =2.6.2-12 \|\| =2.6.2-13 \|\| =2.6.2-14	-
debian 12	caddy	=2.11.2-1 \|\| =2.6.2-10 \|\| =2.6.2-11 \|\| =2.6.2-12 \|\| =2.6.2-13 \|\| =2.6.2-14 \|\| =2.6.2-5 \|\| =2.6.2-6 \|\| =2.6.2-6.1 \|\| =2.6.2-7 \|\| =2.6.2-8 \|\| =2.6.2-9	-
debian 14	caddy	=2.6.2-12 \|\| =2.6.2-13 \|\| =2.6.2-14 \|\| >=0 <2.11.2-1	2.11.2-1

Aliases

1. CVE-2026-275892. NVD-2026-275893. OSV-2026-275894. OSV-DEBIAN-2026-275895. GHSA-879p-475x-rqh26. GCVE-2026-275897. SECURITY-TRACKER-CVE-2026-27589

References

1. https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh22. https://github.com/caddyserver/caddy/commit/65e0ddc22137bbbaa68c842ae0b98d05485045453. https://github.com/caddyserver/caddy/releases/tag/v2.11.14. https://github.com/user-attachments/files/25079818/poc.zip5. https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md6. https://pkg.go.dev/vuln/GO-2026-4537

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.