CVE-2026-30852: Caddy's vars_regexp double-expands user input, leaking env vars and files

March 6, 2026 (updated March 9, 2026)

The vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info.

header_regexp does NOT do this — it passes header values straight to Match(). So this is a code-level inconsistency, not intended behavior.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-30852 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →