CVE-2026-30852

Name of the Vulnerable Software and Affected Versions Caddy versions 2.7.5 through 2.11.2

Description The vars regexp matcher in Caddy double-expands user-controlled input through the Caddy replacer. When vars regexp matches a placeholder like {http.request.header.X-Input}, the header value is resolved and then re-evaluated, allowing an attacker to inject placeholders like {env.DATABASE URL} or {file./etc/passwd} into a request header and potentially leak environment variables, file contents, and system information. This issue stems from a code-level inconsistency where vars regexp includes an unnecessary second expansion step not present in header regexp and path regexp. The issue was introduced by a fix intended to resolve placeholder keys. An attacker can exploit this by crafting requests with malicious headers, leading to information disclosure. The vulnerability allows access to environment variables, file contents (up to 1MB), and system information such as hostname and operating system details.

Recommendations Update Caddy to version 2.11.2 or later.