CVE-2026-27589: Localhost is a Lie: Caddy Admin API CSRF (CVE-2026-27589)

#security #cve #cybersecurity

Localhost is a Lie: Caddy Admin API CSRF (CVE-2026-27589)

Vulnerability ID: CVE-2026-27589
CVSS Score: 6.9
Published: 2026-02-24

A critical Cross-Site Request Forgery (CSRF) vulnerability in Caddy Web Server's administrative API allows remote attackers to silently overwrite the running configuration of a locally running server. By leveraging 'Simple Requests' to bypass CORS preflight checks, a malicious website can force a developer's browser to POST a new config to localhost:2019, effectively seizing control of the server.

TL;DR

Caddy's admin API (port 2019) didn't validate the Origin header. A malicious website can force your browser to send a POST request to 127.0.0.1, overwriting your server config with one controlled by the attacker. Fix: Upgrade to v2.11.1.

⚠️ Exploit Status: POC

Technical Details

CWE: CWE-352 (CSRF)
Attack Vector: Network (Drive-by)
CVSS v4.0: 6.9 (Medium)
Impact: High Integrity (Config Overwrite)
Exploit Status: PoC Available
Bypass Method: CORS Simple Request (text/plain)

Affected Systems

Caddy Web Server < v2.11.1
Caddy: < 2.11.1 (Fixed in: 2.11.1)

Code Analysis

Commit: 65e0ddc

Implemented tracking of configuration source to prevent state confusion

func (h *adminHandler) handleLoad... // Added source tracking headers logic

Commit: e0f8d9b

Hardening of TLS capools and context assertions

repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)

Exploit Details

GitHub: Deterministic PoC archive containing reproduction steps and Makefile

Mitigation Strategies

Enforce Strict Origin Validation on Admin API
Implement Configuration Source Tracking
Validate Content-Type headers strictly

Remediation Steps:

Update Caddy to version 2.11.1 or later.
If updating is impossible, configure the 'admin' module to explicitly set 'enforce_origin' to true.
Ensure the admin listener is bound strictly to 127.0.0.1 and not 0.0.0.0.