CVE-2026-30852
Server-Side Template Injection in Caddy vars_regexp Matcher
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| caddyserver | caddy | From 2.7.5 (inc) to 2.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30852 is a vulnerability in the Caddy web server's vars_regexp matcher component. The issue arises because the matcher double-expands user-controlled input through the Caddy replacer. Specifically, when a placeholder like {http.request.header.X-Input} is matched, the header value is resolved once as expected, but then it is passed through a second expansion unintentionally. This second expansion causes the server to evaluate embedded placeholders such as {env.DATABASE_URL} or {file./etc/passwd}, which can lead to leaking sensitive environment variables, file contents, and system information."}, {'type': 'paragraph', 'content': 'This behavior is inconsistent with other matchers like header_regexp and path_regexp, which do not perform this second expansion. The vulnerability was introduced by a code change intended to fix an unrelated issue but inadvertently caused this double expansion. It affects Caddy versions from 2.7.5 up to but not including 2.11.2 and has been patched in version 2.11.2.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information. An attacker can craft request headers containing placeholders that, due to the double expansion bug, cause the server to reveal environment variables (such as database URLs and secret keys), local file contents (like /etc/passwd), and system information (including hostname and OS details).
The impact requires that the server configuration uses the vars_regexp matcher on user-controlled input and reflects the matched content in responses. Exploiting this can expose critical secrets and system data, potentially leading to further attacks or system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted HTTP requests with headers containing placeholders like {env.SECRET_API_KEY} or {file./etc/hosts} to a Caddy server route that uses the vars_regexp matcher. If the server responds with expanded environment variables, file contents, or system information instead of the literal placeholder, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use curl or similar HTTP clients to send requests with headers containing these placeholders and observe the response.'}, {'type': 'list_item', 'content': 'curl -H "X-Input: {env.SECRET_API_KEY}" http://your-caddy-server/your-endpoint'}, {'type': 'list_item', 'content': 'curl -H "X-Input: {file./etc/passwd}" http://your-caddy-server/your-endpoint'}, {'type': 'paragraph', 'content': 'If the response contains the actual secret key or file contents instead of the placeholder text, the server is vulnerable.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade the Caddy server to version 2.11.2 or later, where this vulnerability has been patched.
Version 2.11.2 fixes the double-expansion issue in the vars_regexp matcher, preventing secret leakage through placeholder expansion.
Until the upgrade can be performed, consider restricting or sanitizing user-controlled input that can be matched by vars_regexp to avoid processing untrusted placeholders.