CVE-2026-30852 is a vulnerability in the Caddy web server platform, specifically affecting versions from 2.7.5 to before 2.11.2. The root cause lies in the vars_regexp matcher implementation within vars.go at line 337, where user-controlled input is double-expanded through the Caddy replacer mechanism. Normally, when a placeholder such as {http.request.header.X-Input} is matched, the header value is resolved once. However, due to the bug, the value is passed through the replacer's ReplaceAll() function a second time, causing unintended evaluation of embedded placeholders. An attacker can exploit this by injecting payloads like {env.DATABASE_URL} or {file./etc/passwd} into HTTP request headers. The server then evaluates these placeholders, exposing sensitive environment variables, file contents, or system information in the response or logs. This vulnerability is a combination of CWE-200 (Exposure of Sensitive Information) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). It requires no privileges or user interaction and can be triggered remotely over the network. The vulnerability was publicly disclosed and patched in Caddy version 2.11.2. No known exploits are currently reported in the wild, but the potential for sensitive data leakage is significant. The CVSS 4.0 base score is 5.5, reflecting medium severity with network attack vector, low complexity, no privileges or user interaction needed, and limited confidentiality impact.

The primary impact of CVE-2026-30852 is the unauthorized disclosure of sensitive information, including environment variables, system files, and configuration data. This can lead to further attacks such as credential theft, lateral movement, or system compromise if attackers gain access to secrets like database URLs or private keys. The vulnerability does not directly affect data integrity or availability but significantly compromises confidentiality. Organizations using vulnerable Caddy versions in internet-facing roles, especially those hosting sensitive applications or infrastructure, face increased risk of data leakage. This can damage reputation, violate compliance requirements, and lead to financial losses. Since exploitation requires only sending crafted HTTP headers, the attack surface is broad and easily accessible to remote attackers. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code could emerge. The medium severity rating suggests prioritizing remediation but indicates the vulnerability is not as critical as remote code execution flaws.

1. Upgrade Caddy server to version 2.11.2 or later immediately to apply the official patch that fixes the double-expansion issue. 2. Implement strict input validation and sanitization on HTTP headers at the application or reverse proxy level to block suspicious placeholder patterns such as {env.*} or {file.*}. 3. Restrict access to sensitive environment variables and files by minimizing their exposure and using least privilege principles for the Caddy process. 4. Monitor web server logs for unusual header values containing placeholder syntax indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block requests containing suspicious placeholder injections. 6. Conduct regular security audits and penetration testing focusing on injection and information disclosure vectors in web servers. 7. Isolate critical services and sensitive data from direct exposure to internet-facing Caddy instances where possible. 8. Educate development and operations teams about secure configuration and the risks of dynamic placeholder evaluation in server software.