Cyber Resilience

CVE-2026-30852

MediumPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 6.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30852 is a medium-severity Injection (CWE-74) vulnerability in Caddyserver Caddy. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30852 is a vulnerability in Caddy, an extensible server platform that uses TLS by default, affecting versions from 2.7.5 up to but not including 2.11.2. The issue resides in the vars_regexp matcher at vars.go:337, where user-controlled input is double-expanded through the Caddy replacer. Specifically, when the matcher processes a placeholder such as {http.request.header.X-Input}, the header value is resolved once as expected but then passed through repl.ReplaceAll() again, enabling unintended evaluation of embedded placeholders.

The vulnerability can be exploited by any unauthenticated remote attacker with network access, requiring low complexity and no user interaction (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into a request header such as X-Input, the attacker triggers the double expansion, allowing the server to evaluate and disclose sensitive environment variables, file contents, and system information.

Mitigation is available via the patch in Caddy version 2.11.2, as detailed in the project's security advisory (GHSA-m2w3-8f23-hxxf), the corresponding pull request (https://github.com/caddyserver/caddy/pull/5408), and the release notes (https://github.com/caddyserver/caddy/releases/tag/v2.11.2). Security practitioners should upgrade affected instances immediately to prevent information disclosure associated with CWE-74 (injection) and CWE-200 (exposure of sensitive information).

EU & UK References

Vulnerability details

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header…

more

value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Remote unauthenticated exploitation of public-facing Caddy server via crafted headers (T1190) directly enables arbitrary local file reads and environment variable disclosure (T1005, T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27588Same product: Caddyserver Caddy
CVE-2026-27586Same product: Caddyserver Caddy
CVE-2026-27587Same product: Caddyserver Caddy
CVE-2026-27590Same product: Caddyserver Caddy
CVE-2026-30851Same product: Caddyserver Caddy
CVE-2024-43707Shared CWE-200
CVE-2026-39412Shared CWE-200
CVE-2025-68438Shared CWE-200
CVE-2024-13562Shared CWE-200
CVE-2026-4660Shared CWE-200

Affected Assets

caddyserver
caddy
2.7.5 — 2.11.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely installation of the Caddy v2.11.2 patch that fixes the double-expansion of user-controlled input in the vars_regexp matcher.

prevent

Requires validation of user-controlled request headers to block injection of placeholders like {env.DATABASE_URL} or {file./etc/passwd} before processing by the Caddy replacer.

detect

Monitors Caddy server components for disclosure of sensitive environment variables, file contents, or system information resulting from the double-expansion vulnerability.

References