← Retour aux CVEs
CVE-2026-30852
HIGH7.5
Description
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Details CVE
Score CVSS v3.17.5
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie3/7/2026
Derniere modification3/11/2026
Sourcenvd
Observations honeypot0
Produits affectes
caddyserver:caddy
Faiblesses (CWE)
CWE-74CWE-200
References
https://github.com/caddyserver/caddy/pull/5408(security-advisories@github.com)
https://github.com/caddyserver/caddy/releases/tag/v2.11.2(security-advisories@github.com)
https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.