← Back to CVEs
CVE-2026-30852
HIGH7.5
Description
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
CVE Details
CVSS v3.1 Score7.5
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/7/2026
Last Modified3/11/2026
Sourcenvd
Honeypot Sightings0
Affected Products
caddyserver:caddy
Weaknesses (CWE)
CWE-74CWE-200
References
https://github.com/caddyserver/caddy/pull/5408(security-advisories@github.com)
https://github.com/caddyserver/caddy/releases/tag/v2.11.2(security-advisories@github.com)
https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.