hi folks,
commit: e0f8d9b (as-of 2026-02-04)
channel: GitHub security advisory (per SECURITY.md)
summary
the local caddy admin API (default listen 127.0.0.1:2019) exposes a state-changing POST /load endpoint that replaces the entire running configuration.
when origin enforcement is not enabled (enforce_origin not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. this can change the admin listener settings and alter HTTP server behavior without user intent.
severity
high
justification:
- the attacker can apply an arbitrary caddy config (integrity impact) by driving a victim’s local admin API.
- exploitation requires a victim running caddy with the admin API enabled and visiting an attacker-controlled page (or otherwise issuing the request from an untrusted local client).
affected component
caddyconfig/load.go: adminLoad.handleLoad (/load admin endpoint)- pinned callsite:
|
func (adminLoad) handleLoad(w http.ResponseWriter, r *http.Request) error { |
reproduction
attachment: poc.zip (integration harness) with canonical and control runs.
unzip -q -o poc.zip -d poc
cd poc/poc-F-CADDY-ADMIN-LOAD-001
make test
expected output (excerpt):
[CALLSITE_HIT]: adminLoad.handleLoad
[PROOF_MARKER]: http_code=200 admin_moved=true response_pwned=true
control output (excerpt):
[NC_MARKER]: http_code=403 load_blocked=true admin_moved=false response_pwned=false
impact
an attacker can replace the running caddy configuration via the local admin API. depending on the deployed configuration/modules, this can:
- change admin listener settings (e.g., move the admin listener to a new address)
- change HTTP server behavior (e.g., alter routes/responses)
suggested remediation
ensure cross-origin web content cannot trigger POST /load on the local admin API by default, for example by:
- enabling origin enforcement by default for unsafe methods, and/or
- requiring an unguessable token for
/load (and other state-changing admin endpoints).
poc.zip
PR_DESCRIPTION.md
best,
oleh
hi folks,
commit: e0f8d9b (as-of 2026-02-04)
channel: GitHub security advisory (per SECURITY.md)
summary
the local caddy admin API (default listen
127.0.0.1:2019) exposes a state-changingPOST /loadendpoint that replaces the entire running configuration.when origin enforcement is not enabled (
enforce_originnot configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. this can change the admin listener settings and alter HTTP server behavior without user intent.severity
high
justification:
affected component
caddyconfig/load.go: adminLoad.handleLoad(/loadadmin endpoint)caddy/caddyconfig/load.go
Line 73 in e0f8d9b
reproduction
attachment:
poc.zip(integration harness) with canonical and control runs.expected output (excerpt):
control output (excerpt):
impact
an attacker can replace the running caddy configuration via the local admin API. depending on the deployed configuration/modules, this can:
suggested remediation
ensure cross-origin web content cannot trigger
POST /loadon the local admin API by default, for example by:/load(and other state-changing admin endpoints).poc.zip
PR_DESCRIPTION.md
best,
oleh