CVE-2026-27589 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a…
Medium CVSS: 6.9

CVE-2026-27589

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
Vendor
Caddyserver
Product
Caddy
CWE
CWE-352
Yayın Tarihi
2026-02-24 17:29:04
Güncelleme
2026-02-25 17:08:56
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-352 Caddy MEDIUM Caddyserver 2026

Referanslar

https://github.com/caddyserver/caddy/releases/tag/v2.11.1 https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2 https://github.com/user-attachments/files/25079818/poc.zip https://github.com/user-attachments/files/25079820/PR_DESCRIPTION.md