← Back to feed
Security patch:
[MODERATE] GHSA-wwhq-w58m-w29c: Caddy CVE-2026-30852 Fix Bypass
GitHub Security Advisory·Security·SecurityFix·5/19/2026
# ## TL;DR CVE-2026-30852 fixed double expansion in `vars_regexp` when the variable key is a placeholder (e.g. `{http.vars.x}`). The fix does NOT protect literal key names (e.g. `tenant_id`). An attacker injects `{env.AWS_SECRET_ACCESS_KEY}` or `{file./etc/passwd}` via a request header → Caddy ex
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
github.com/caddyserver/caddy/v2
View original source ↗Source payload preview
{
"ghsaId": "GHSA-wwhq-w58m-w29c",
"summary": "Caddy CVE-2026-30852 Fix Bypass",
"severity": "MODERATE",
"updatedAt": "2026-05-19T19:35:48Z",
"references": [
{
"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-wwhq-w58m-w29c"
},
{
"url": "https://github.com/advisories/GHSA-wwhq-w58m-w29c"
}
],
"description": "# \n\n## TL;DR\n\nCVE-2026-30852 fixed double expansion in `vars_regexp` when the variable key is a placeholder (e.g. `{http.vars.x}`). The fix does NOT protect literal key names (e.g. `tenant_id`). An attacker injects `{env.AWS_SECRET_ACCESS_KEY}` or `{file./etc/passwd}` via a request header → Caddy expands it on the second pass → secrets leaked in response headers.\n\n**Affected:** Caddy v2.11.0 through v2.11.2 (latest).
…