TLS Server Vulnerability in Caddy Affects User-Controlled Input Handling
CVE-2026-30852

5.5MEDIUM

Key Information:

Vendor

Caddyserver

Status
Caddy
Vendor
CVE Published:
7 March 2026

What is CVE-2026-30852?

Caddy Server, an extensible server platform that employs TLS by default, has a vulnerability in its vars_regexp matcher whereby user-controlled input undergoes double-expansion. This flaw occurs in versions 2.7.5 through 2.11.1, where inputs such as {http.request.header.X-Input} are resolved not only once but then processed through the replacer again, allowing attackers to manipulate headers and extract sensitive information such as environment variables or file contents, including system information. This issue has been rectified in version 2.11.2.

Affected Version(s)

caddy >= 2.7.5, < 2.11.2

References

https://github.com/caddyserver/caddy/security/advisories/...
x_refsource_CONFIRM
https://github.com/caddyserver/caddy/pull/5408
x_refsource_MISC
https://github.com/caddyserver/caddy/releases/tag/v2.11.2
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.