CVE-2026-30852

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/caddyserver/caddy/pull/5408	Issue Tracking Patch
https://github.com/caddyserver/caddy/releases/tag/v2.11.2	Product Release Notes
https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*

History

11 Mar 2026, 13:01

Type	Values Removed	Values Added
Summary		(es) Caddy es una plataforma de servidor extensible que usa TLS por defecto. Desde la versión 2.7.5 hasta antes de la versión 2.11.2, el comparador vars_regexp en vars.go:337 expande doblemente la entrada controlada por el usuario a través del reemplazador de Caddy. Cuando vars_regexp coincide con un marcador de posición como {http.request.header.X-Input}, el valor del encabezado se resuelve una vez (esperado), y luego se pasa por repl.ReplaceAll() de nuevo (el error). Esto significa que un atacante puede colocar {env.DATABASE_URL} o {file./etc /passwd} en un encabezado de solicitud y el servidor lo evaluará, filtrando variables de entorno, contenido de archivos e información del sistema. Este problema ha sido parcheado en la versión 2.11.2.
References	~~() https://github.com/caddyserver/caddy/pull/5408 -~~	() https://github.com/caddyserver/caddy/pull/5408 - Issue Tracking, Patch
References	~~() https://github.com/caddyserver/caddy/releases/tag/v2.11.2 -~~	() https://github.com/caddyserver/caddy/releases/tag/v2.11.2 - Product, Release Notes
References	~~() https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf -~~	() https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf - Exploit, Mitigation, Vendor Advisory
CPE		cpe:2.3:a:caddyserver:caddy::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Caddyserver Caddyserver caddy

07 Mar 2026, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 17:15

Updated : 2026-03-11 13:01

NVD link : CVE-2026-30852

Mitre link : CVE-2026-30852

CVE.ORG link : CVE-2026-30852

JSON object : View

Products Affected

caddyserver

caddy

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

7.5 /10