ID
VAR-202603-3635
CVE
CVE-2026-30852
DESCRIPTION
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
Trust: 1.0
AFFECTED PRODUCTS
| vendor: | caddyserver | model: | caddy | scope: | gte | version: | 2.7.5 | Trust: 1.0 |
| vendor: | caddyserver | model: | caddy | scope: | lt | version: | 2.11.2 | Trust: 1.0 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-74 | Trust: 1.0 |
| problemtype: | CWE-200 | Trust: 1.0 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2026-30852 | Trust: 1.0 |
REFERENCES
| url: | https://github.com/caddyserver/caddy/security/advisories/ghsa-m2w3-8f23-hxxf | Trust: 1.0 |
| url: | https://github.com/caddyserver/caddy/pull/5408 | Trust: 1.0 |
| url: | https://github.com/caddyserver/caddy/releases/tag/v2.11.2 | Trust: 1.0 |
SOURCES
| db: | NVD | id: | CVE-2026-30852 |
LAST UPDATE DATE
2026-03-26T23:02:59.189000+00:00
SOURCES UPDATE DATE
| db: | NVD | id: | CVE-2026-30852 | date: | 2026-03-11T13:01:46.030 |
SOURCES RELEASE DATE
| db: | NVD | id: | CVE-2026-30852 | date: | 2026-03-07T17:15:52.733 |