{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30852", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.341Z", "datePublished": "2026-03-07T16:28:26.894Z", "dateUpdated": "2026-03-09T18:24:55.495Z"}, "containers": {"cna": {"title": "Caddy: vars_regexp double-expands user input, leaking env vars and files", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf"}, {"name": "https://github.com/caddyserver/caddy/pull/5408", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/pull/5408"}, {"name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2"}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"version": ">= 2.7.5, < 2.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:28:26.894Z"}, "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2."}], "source": {"advisory": "GHSA-m2w3-8f23-hxxf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T18:19:34.437219Z", "id": "CVE-2026-30852", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:24:55.495Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30852", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T18:19:34.437219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:19:35.549Z"}}], "cna": {"title": "Caddy: vars_regexp double-expands user input, leaking env vars and files", "source": {"advisory": "GHSA-m2w3-8f23-hxxf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"status": "affected", "version": ">= 2.7.5, < 2.11.2"}]}], "references": [{"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf", "name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/caddyserver/caddy/pull/5408", "name": "https://github.com/caddyserver/caddy/pull/5408", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2", "name": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:28:26.894Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30852", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:24:55.495Z", "dateReserved": "2026-03-05T21:27:35.341Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:28:26.894Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3772146-497E-4F88-B309-90C277081DE9", "versionEndExcluding": "2.11.2", "versionStartIncluding": "2.7.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2."}, {"lang": "es", "value": "Caddy es una plataforma de servidor extensible que usa TLS por defecto. Desde la versi\u00f3n 2.7.5 hasta antes de la versi\u00f3n 2.11.2, el comparador vars_regexp en vars.go:337 expande doblemente la entrada controlada por el usuario a trav\u00e9s del reemplazador de Caddy. Cuando vars_regexp coincide con un marcador de posici\u00f3n como {http.request.header.X-Input}, el valor del encabezado se resuelve una vez (esperado), y luego se pasa por repl.ReplaceAll() de nuevo (el error). Esto significa que un atacante puede colocar {env.DATABASE_URL} o {file./etc /passwd} en un encabezado de solicitud y el servidor lo evaluar\u00e1, filtrando variables de entorno, contenido de archivos e informaci\u00f3n del sistema. Este problema ha sido parcheado en la versi\u00f3n 2.11.2."}], "id": "CVE-2026-30852", "lastModified": "2026-03-11T13:01:46.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T17:15:52.733", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/caddyserver/caddy/pull/5408"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/caddyserver/caddy/releases/tag/v2.11.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.7.5,2.11.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "caddy", "source": "cna", "vendor": "caddyserver"}, "product": "caddy", "vendor": "caddyserver"}], "analysis": {"en": {"generated_at": "2026-04-18T09:45:35.653674+00:00", "value": {"mitigation_remediation": ["Upgrade Caddy to version 2.11.2 or newer to apply the vendor patch.", "Disable or remove the vars_regexp matcher in any configuration that processes untrusted header input, preventing the double-expansion behavior.", "Implement application or infrastructure monitoring to detect attempts to resolve environment variables or file paths through request headers and alert on suspicious activity."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure (environment variables and file contents)"}, "threat_synthesis": {"affected_systems": "CaddyServer Caddy, versions starting from 2.7.5 up to but not including 2.11.2, are affected. All installations of these versions that use the vars_regexp matcher in any header-based request can be exploited.", "description_and_impact": "The Caddy vars_regexp matcher performs an unintended double expansion of user-controlled input through the replacer. The likely attack vector is sending a crafted HTTP request header containing placeholders such as {env.DATABASE_URL} or {file./etc/passwd}. When a header such as {http.request.header.X-Input} contains placeholders that reference environment variables or file paths (e.g., {env.DATABASE_URL} or {file./etc/passwd}), the value is resolved twice, leaking the requested data to the attacker. This flaw is categorized as Information Exposure and Improper Handling of Special Characters, allowing sensitive data to be read without authentication or authorization.", "risk_and_exploitability": "The flaw has a CVSS score of 5.5, reflecting medium severity. EPSS indicates a low probability of exploitation (<1%). It is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability from the network by sending a crafted HTTP request header; no privileged access or local compromise is required. Once triggered, confidential environment variables, file contents, and system information can be exposed to the attacker, potentially leading to credential theft and subsequent attacks."}}}}, "created": "2026-03-09T10:04:57.157742+00:00", "updated": "2026-04-18T10:00:10.299693+00:00", "vendors": ["caddyserver", "caddyserver$PRODUCT$caddy"]}