Caddy Server Leaks Sensitive Data from User- Controlled Input

Summary

Caddy servers with versions 2.7.5 to 2.11.2 are vulnerable to data exposure. Attackers can inject malicious input to access sensitive data, such as environment variables, file contents, and system information. Upgrade to version 2.11.2 or later to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
canonical	caddy	All versions	–
canonical	caddy	All versions	–

Original title

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the...

Original description

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.

osv CVSS4.0 7.8

https://ubuntu.com/security/CVE-2026-30852 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2026-30852 Third Party Advisory
https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf Third Party Advisory
https://github.com/caddyserver/caddy/pull/5408 Third Party Advisory
https://github.com/caddyserver/caddy/releases/tag/v2.11.2 Third Party Advisory