CVE-2026-30852Injection in Caddyserver Caddy V2

CWE-74InjectionCWE-200Sensitive Information Exposure8 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 87.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Caddyserver Caddy V2Github.com Caddyserver Caddy V2 Modules CaddyhttpCaddyserver Caddy
Timeline
PublishedMar 7
Latest updateMar 10

Description

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

NVDcaddyserver/caddy2.7.52.11.2
Gogithub.com/caddyserver_caddy_v22.7.52.11.2
CVEListV5caddyserver/caddy>= 2.7.5, < 2.11.2

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy2026-03-10
CVEList
Caddy: vars_regexp double-expands user input, leaking env vars and files2026-03-07
OSV
CVE-2026-30852: Caddy is an extensible server platform that uses TLS by default2026-03-07
OSV
Caddy's vars_regexp double-expands user input, leaking env vars and files2026-03-06
GHSA
Caddy's vars_regexp double-expands user input, leaking env vars and files2026-03-06

📋Vendor Advisories

1
Debian
CVE-2026-30852: caddy - Caddy is an extensible server platform that uses TLS by default. From version 2....2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-30852 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-30852 — Injection in Caddyserver Caddy V2 | cvebase