2445490 – (CVE-2026-30852) CVE-2026-30852 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Information disclosure via double-expansion of user-controlled input

Bug 2445490 (CVE-2026-30852) - CVE-2026-30852 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Information disclosure via double-expansion of user-controlled input

Summary: CVE-2026-30852 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Info...

Keywords:
Status:	NEW
Alias:	CVE-2026-30852
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2445849
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-07 17:01 UTC by OSIDB Bzimport
Modified:	2026-03-09 20:38 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-07 17:01:25 UTC

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.

Note You need to log in before you can comment on or make changes to this bug.