GHSA-wwhq-w58m-w29c: Caddy CVE-2026-30852 Fix Bypass

May 19, 2026

Environment variable disclosure: {env.AWS_SECRET_ACCESS_KEY}, {env.DATABASE_URL}, etc.
Arbitrary file read (up to 1MB): {file./etc/passwd}, {file./proc/self/environ}
System info: {system.hostname}, {system.os}
Full env dump in one request: {file./proc/self/environ}

References

github.com/advisories/GHSA-wwhq-w58m-w29c
github.com/caddyserver/caddy/security/advisories/GHSA-wwhq-w58m-w29c

Code Behaviors & Features

Detect and mitigate GHSA-wwhq-w58m-w29c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →