Caddy Web Server Cross-Site Request Forgery (CSRF) Vulnerability - CVE-2026-27589

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1 the local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled (enforce_origin not configured) the admin endpoint accepts cross-origin requests (e.g. from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.