CVE-2026-30852 affects the Caddy web server, an extensible platform that uses TLS by default. The vulnerability exists in the vars_regexp matcher component, specifically in the file vars.go at line 337, where user-controlled input is double-expanded through the Caddy replacer mechanism. Normally, when a placeholder such as {http.request.header.X-Input} is processed, the header value is resolved once. However, due to the bug, the resolved value is passed through the replacer's ReplaceAll() function a second time, causing unintended evaluation of embedded placeholders. This allows an attacker to craft HTTP request headers containing placeholders like {env.DATABASE_URL} or {file./etc/passwd}, which the server then evaluates, leaking sensitive environment variables, arbitrary file contents, and system information. This behavior results from unsafe input evaluation (CWE-74) leading to exposure of sensitive information to unauthorized actors (CWE-200). The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. It affects all Caddy versions from 2.7.5 up to but not including 2.11.2. The issue has been fixed in version 2.11.2 by correcting the input handling to prevent double expansion. No public exploits are known at this time, but the impact of data leakage is significant.

The vulnerability enables attackers to remotely extract sensitive environment variables, file contents, and system information from servers running vulnerable Caddy versions. This can lead to exposure of secrets such as database credentials, API keys, and configuration details, which attackers can leverage for further compromise, lateral movement, or data exfiltration. The unauthorized disclosure undermines confidentiality and may indirectly affect integrity and availability if attackers use the leaked information to escalate privileges or disrupt services. Since exploitation requires no authentication or user interaction, any publicly accessible Caddy server with affected versions is at risk. Organizations using Caddy in production, especially those hosting sensitive applications or data, face increased risk of data breaches and compliance violations. Although no exploits are currently reported in the wild, the ease of exploitation and severity of data exposure make this a critical concern for affected deployments.

The primary mitigation is to upgrade all affected Caddy server instances to version 2.11.2 or later, where the vulnerability is patched. Until upgrades can be performed, organizations should implement strict input validation and filtering on HTTP headers to block suspicious placeholders containing patterns like {env.*} or {file.*}. Deploying Web Application Firewalls (WAFs) with custom rules to detect and block such injection attempts can reduce exposure. Additionally, review and minimize sensitive environment variables and file permissions accessible to the Caddy process to limit potential data leakage. Monitoring server logs for unusual header values or repeated requests containing suspicious placeholders can help detect exploitation attempts. Finally, conduct a thorough audit of secrets and credentials potentially exposed and rotate them if compromise is suspected.