CVE-2026-30852

UNKNOWN 0.0

Caddy: vars_regexp double-expands user input, leaking env vars and files

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.

CWE	CWE-200 CWE-74
Vendor	caddyserver
Product	caddy
Published	Mar 7, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for caddyserver caddy

Be the first to know when new unknown vulnerabilities affecting caddyserver caddy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

caddyserver / caddy

>= 2.7.5, < 2.11.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf github.com: https://github.com/caddyserver/caddy/pull/5408 github.com: https://github.com/caddyserver/caddy/releases/tag/v2.11.2