CVE-2026-30852
published 2026-03-07CVE-2026-30852: Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.40%
31.9th percentile
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | — | — |
| caddyserver | caddy | >= 2.7.5 < 2.11.2 | 2.11.2 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy_v2 | 2.11.0 – 2.11.2 | — |
| github.com | caddyserver_caddy_v2 | >= 2.7.5 < 2.11.2 | 2.11.2 |
| github.com | caddyserver_caddy_v2_modules_caddyhttp | >= 2.7.5 < 2.11.2 | 2.11.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa5.5MEDIUM
osv5.5MEDIUM
vendor_debian5.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Caddy CVE-2026-30852 Fix Bypass
ghsa·2026-05-19·CVSS 5.5
CVE-2026-30852 [MEDIUM] CWE-917 Caddy CVE-2026-30852 Fix Bypass
Caddy CVE-2026-30852 Fix Bypass
#
## TL;DR
CVE-2026-30852 fixed double expansion in `vars_regexp` when the variable key is a placeholder (e.g. `{http.vars.x}`). The fix does NOT protect literal key names (e.g. `tenant_id`). An attacker injects `{env.AWS_SECRET_ACCESS_KEY}` or `{file./etc/passwd}` via a request header → Caddy expands it on the second pass → secrets leaked in response headers.
**Affected:** Caddy v2.11.0 through v2.11.2 (latest). All versions since the CVE-2026-30852 fix.
## Root Cause
`modules/caddyhttp/vars.go`, lines 215-217:
```go
valExpanded = varStr
if !fromPlaceholder {
valExpanded = repl.ReplaceAll(varStr, "") // ← SECOND EXPANSION
}
```
Same issue at line 358-360 in `MatchVarsRE`.
`fromPlaceholder` is `false` when the variable key is a literal string (not w
OSV
Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy
osv·2026-03-10
CVE-2026-30852 Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy
Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy
Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy
OSV
CVE-2026-30852: Caddy is an extensible server platform that uses TLS by default
osv·2026-03-07·CVSS 5.5
CVE-2026-30852 [MEDIUM] CVE-2026-30852: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
OSV
Caddy's vars_regexp double-expands user input, leaking env vars and files
osv·2026-03-06
CVE-2026-30852 [MEDIUM] Caddy's vars_regexp double-expands user input, leaking env vars and files
Caddy's vars_regexp double-expands user input, leaking env vars and files
### Summary
The `vars_regexp` matcher in `vars.go:337` double-expands user-controlled input through the Caddy replacer. When `vars_regexp` matches against a placeholder like `{http.request.header.X-Input}`, the header value gets resolved once (expected), then passed through `repl.ReplaceAll()` again (the bug). This means an attacker can put `{env.DATABASE_URL}` or `{file./etc/passwd}` in a request header and the server will evaluate it, leaking environment variables, file contents, and system info.
`header_regexp` does NOT do this — it passes header values straight to `Match()`. So this is a code-level inconsistency, not intended behavior.
### Details
The bug is at `modules/caddyhttp/vars.go`, line 337 in `Match
GHSA
Caddy's vars_regexp double-expands user input, leaking env vars and files
ghsa·2026-03-06
CVE-2026-30852 [MEDIUM] CWE-200 Caddy's vars_regexp double-expands user input, leaking env vars and files
Caddy's vars_regexp double-expands user input, leaking env vars and files
### Summary
The `vars_regexp` matcher in `vars.go:337` double-expands user-controlled input through the Caddy replacer. When `vars_regexp` matches against a placeholder like `{http.request.header.X-Input}`, the header value gets resolved once (expected), then passed through `repl.ReplaceAll()` again (the bug). This means an attacker can put `{env.DATABASE_URL}` or `{file./etc/passwd}` in a request header and the server will evaluate it, leaking environment variables, file contents, and system info.
`header_regexp` does NOT do this — it passes header values straight to `Match()`. So this is a code-level inconsistency, not intended behavior.
### Details
The bug is at `modules/caddyhttp/vars.go`, line 337 in `Match
Debian
CVE-2026-30852: caddy - Caddy is an extensible server platform that uses TLS by default. From version 2....
vendor_debian·2026·CVSS 5.5
CVE-2026-30852 [MEDIUM] CVE-2026-30852: caddy - Caddy is an extensible server platform that uses TLS by default. From version 2....
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Scope: local
bookworm: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all]
bugzilla·2026-06-11·CVSS 7.5
CVE-2026-30852 [HIGH] CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all]
CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all]
+++ This bug was initially created as a clone of Bug #2445849 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [epel-all]
bugzilla·2026-03-09·CVSS 7.5
CVE-2026-30852 [HIGH] CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [epel-all]
CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This flaw was introduced in caddy 2.7.5. EPEL 8 and EPEL 9 have caddy 2.6.4 and thus are not affected.
Fedora is affected, but I've cloned this bug to address it there.
---
EPEL 10 is affected as it has caddy 2.10.2.
Bugzilla
CVE-2026-30852 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Information disclosure via double-expansion of user-controlled input
bugzilla·2026-03-07·CVSS 7.5
CVE-2026-30852 [HIGH] CVE-2026-30852 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Information disclosure via double-expansion of user-controlled input
CVE-2026-30852 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Information disclosure via double-expansion of user-controlled input
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Wiz
CVE-2026-30852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-30852 [MEDIUM] CVE-2026-30852 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30852 :
NixOS vulnerability analysis and mitigation
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Source : NVD
## 5.5
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected T
2026-03-07
Published