Vulnerability in zrok project

[ankitdn]

While working on this project, I identified CVE-2026-27589 affecting the Caddy web server. The vulnerability allows cross-origin configuration manipulation through the local admin API when origin enforcement is not enabled. An attacker could send a malicious POST request to the /load endpoint and replace the running configuration, potentially altering server behavior and exposing sensitive data.

CVE Report
CVE Link

[michaelquigley]

I don't actually believe this path is exposed in zrok's usage of Caddy. Will investigate.