CVE-2026-30852
Published: 07 March 2026
Summary
CVE-2026-30852 is a medium-severity Injection (CWE-74) vulnerability in Caddyserver Caddy. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-30852 is a vulnerability in Caddy, an extensible server platform that uses TLS by default, affecting versions from 2.7.5 up to but not including 2.11.2. The issue resides in the vars_regexp matcher at vars.go:337, where user-controlled input is double-expanded through the Caddy replacer. Specifically, when the matcher processes a placeholder such as {http.request.header.X-Input}, the header value is resolved once as expected but then passed through repl.ReplaceAll() again, enabling unintended evaluation of embedded placeholders.
The vulnerability can be exploited by any unauthenticated remote attacker with network access, requiring low complexity and no user interaction (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into a request header such as X-Input, the attacker triggers the double expansion, allowing the server to evaluate and disclose sensitive environment variables, file contents, and system information.
Mitigation is available via the patch in Caddy version 2.11.2, as detailed in the project's security advisory (GHSA-m2w3-8f23-hxxf), the corresponding pull request (https://github.com/caddyserver/caddy/pull/5408), and the release notes (https://github.com/caddyserver/caddy/releases/tag/v2.11.2). Security practitioners should upgrade affected instances immediately to prevent information disclosure associated with CWE-74 (injection) and CWE-200 (exposure of sensitive information).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10177
Vulnerability details
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header…
more
value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Caddy server via crafted headers (T1190) directly enables arbitrary local file reads and environment variable disclosure (T1005, T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely installation of the Caddy v2.11.2 patch that fixes the double-expansion of user-controlled input in the vars_regexp matcher.
Requires validation of user-controlled request headers to block injection of placeholders like {env.DATABASE_URL} or {file./etc/passwd} before processing by the Caddy replacer.
Monitors Caddy server components for disclosure of sensitive environment variables, file contents, or system information resulting from the double-expansion vulnerability.