CVE-2026-30852
MEDIUM EPSS 31.9%
Published Mar 7, 20263mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 4.0
Published Mar 7, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
31.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-74
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| caddyserver | caddy | * | ≥2.7.5 – <2.11.2 |
References 3
- github.com https://github.com/caddyserver/caddy/pull/5408
- github.com https://github.com/caddyserver/caddy/releases/tag/v2.11.2
- github.com https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf
Remediation
- github.com https://github.com/caddyserver/caddy/pull/5408