CVE-2026-30852
Received Received - Intake
Server-Side Template Injection in Caddy vars_regexp Matcher

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30852
EUVD
EUVD-2026-10177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
caddyserver caddy From 2.7.5 (inc) to 2.11.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30852 is a vulnerability in the Caddy web server's vars_regexp matcher component. The issue arises because the matcher double-expands user-controlled input through the Caddy replacer. Specifically, when a placeholder like {http.request.header.X-Input} is matched, the header value is resolved once as expected, but then it is passed through a second expansion unintentionally. This second expansion causes the server to evaluate embedded placeholders such as {env.DATABASE_URL} or {file./etc/passwd}, which can lead to leaking sensitive environment variables, file contents, and system information."}, {'type': 'paragraph', 'content': 'This behavior is inconsistent with other matchers like header_regexp and path_regexp, which do not perform this second expansion. The vulnerability was introduced by a code change intended to fix an unrelated issue but inadvertently caused this double expansion. It affects Caddy versions from 2.7.5 up to but not including 2.11.2 and has been patched in version 2.11.2.'}] [2, 3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information. An attacker can craft request headers containing placeholders that, due to the double expansion bug, cause the server to reveal environment variables (such as database URLs and secret keys), local file contents (like /etc/passwd), and system information (including hostname and OS details).

The impact requires that the server configuration uses the vars_regexp matcher on user-controlled input and reflects the matched content in responses. Exploiting this can expose critical secrets and system data, potentially leading to further attacks or system compromise.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted HTTP requests with headers containing placeholders like {env.SECRET_API_KEY} or {file./etc/hosts} to a Caddy server route that uses the vars_regexp matcher. If the server responds with expanded environment variables, file contents, or system information instead of the literal placeholder, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use curl or similar HTTP clients to send requests with headers containing these placeholders and observe the response.'}, {'type': 'list_item', 'content': 'curl -H "X-Input: {env.SECRET_API_KEY}" http://your-caddy-server/your-endpoint'}, {'type': 'list_item', 'content': 'curl -H "X-Input: {file./etc/passwd}" http://your-caddy-server/your-endpoint'}, {'type': 'paragraph', 'content': 'If the response contains the actual secret key or file contents instead of the placeholder text, the server is vulnerable.'}] [2]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Caddy server to version 2.11.2 or later, where this vulnerability has been patched.

Version 2.11.2 fixes the double-expansion issue in the vars_regexp matcher, preventing secret leakage through placeholder expansion.

Until the upgrade can be performed, consider restricting or sanitizing user-controlled input that can be matched by vars_regexp to avoid processing untrusted placeholders.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30852. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart