CVE-2026-30852 Overview
CVE-2026-30852 is an information disclosure vulnerability in Caddy, an extensible server platform that uses TLS by default. The vulnerability exists in the vars_regexp matcher within vars.go at line 337, where user-controlled input is double-expanded through the Caddy replacer mechanism. This flaw allows attackers to leak sensitive information including environment variables, file contents, and system information by injecting specially crafted placeholder expressions in request headers.
Critical Impact
Attackers can extract sensitive environment variables (such as database connection strings), read arbitrary file contents, and enumerate system information by exploiting the double-expansion behavior in the vars_regexp matcher.
Affected Products
- Caddy Server versions 2.7.5 through 2.11.1
Discovery Timeline
- 2026-03-07 - CVE CVE-2026-30852 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30852
Vulnerability Analysis
The vulnerability stems from improper handling of placeholder expansion in Caddy's vars_regexp matcher. When the matcher evaluates a placeholder such as {http.request.header.X-Input}, the header value undergoes an initial resolution (which is expected behavior). However, due to the bug, the resolved value is then passed through repl.ReplaceAll() a second time. This double-expansion creates an injection point where attacker-controlled input containing Caddy placeholder syntax gets evaluated as server-side expressions.
For example, if an attacker sends a request with a header containing {env.DATABASE_URL}, the first expansion resolves the header value, and the second expansion evaluates the embedded placeholder, returning the actual environment variable content to the attacker. Similarly, {file./etc/passwd} would cause the server to read and return the contents of the passwd file.
Root Cause
The root cause is a design flaw in the vars_regexp matcher implementation at vars.go:337. The code fails to properly sanitize or escape placeholder syntax before performing the secondary repl.ReplaceAll() operation. This violates the principle of treating user input as data rather than executable expressions, resulting in server-side template injection through Caddy's replacer mechanism.
Attack Vector
This vulnerability is exploitable via network-based attacks without authentication. An attacker can craft HTTP requests with malicious placeholder expressions embedded in request headers that are processed by the vars_regexp matcher. The attack requires no user interaction and can be executed remotely against any Caddy server running vulnerable versions with configurations that utilize the vars_regexp directive.
The exploitation involves sending HTTP requests with headers containing Caddy placeholder syntax. When the vars_regexp matcher processes headers like X-Input: {env.SECRET_KEY} or X-Input: {file./etc/passwd}, the double-expansion causes these placeholders to be evaluated, exposing sensitive data in the server's response or logs.
Detection Methods for CVE-2026-30852
Indicators of Compromise
- HTTP request headers containing Caddy placeholder syntax such as {env.*}, {file.*}, or {system.*}
- Unusual patterns in access logs showing header values with curly brace expressions
- Server responses containing sensitive environment variable contents or file data
- Repeated requests probing for common environment variable names like DATABASE_URL, API_KEY, or SECRET_KEY
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing Caddy placeholder patterns in headers
- Monitor access logs for anomalous header values containing curly brace patterns matching \{[a-z]+\.[^\}]+\}
- Deploy intrusion detection signatures targeting Server-Side Template Injection (SSTI) patterns specific to Caddy's replacer syntax
Monitoring Recommendations
- Enable verbose logging on Caddy servers to capture full request headers for forensic analysis
- Set up alerts for requests containing potential injection patterns in custom headers processed by vars_regexp
- Monitor for unusual file access patterns or environment variable reads from Caddy processes
How to Mitigate CVE-2026-30852
Immediate Actions Required
- Upgrade Caddy Server to version 2.11.2 or later immediately
- Review Caddy configurations to identify usage of vars_regexp matchers processing user-controlled input
- Audit server logs for evidence of exploitation attempts targeting placeholder injection
- Consider temporarily disabling vars_regexp matchers on user-controlled input until patching is complete
Patch Information
The vulnerability has been patched in Caddy version 2.11.2. The fix addresses the double-expansion issue by ensuring user-controlled input is not processed through repl.ReplaceAll() a second time. Organizations should update to the patched version as soon as possible. For technical details on the fix, refer to the GitHub Pull Request #5408 and the GitHub Security Advisory.
Workarounds
- Avoid using vars_regexp matchers that process untrusted user input until the patch is applied
- Implement upstream input validation to strip or reject requests containing Caddy placeholder patterns
- Use a reverse proxy or WAF in front of Caddy to filter malicious placeholder expressions from request headers
- Restrict environment variables accessible to the Caddy process to minimize potential data exposure
# Upgrade Caddy to patched version
caddy upgrade
# Or install specific version
go install github.com/caddyserver/caddy/v2/cmd/caddy@v2.11.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
