Ravie LakshmananJan 20, 2026Web Safety / Vulnerability
Cloudflare has addressed a safety vulnerability impacting its Computerized Certificates Administration Surroundings (ACME) validation logic that made it potential to bypass safety controls and entry origin servers.
“The vulnerability was rooted in how our edge community processed requests destined for the ACME HTTP-01 problem path (/.well-known/acme-challenge/*),” the net infrastructure firm’s Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo stated.
The net infrastructure firm stated it discovered no proof that the vulnerability was ever exploited in a malicious context.
ACME is a communications protocol (RFC 8555) that facilitates automated issuance, renewal, and revocation of SSL/TLS certificates. Each certificates provisioned to a web site by a certificates authority (CA) is validated utilizing challenges to show area possession.
This course of is often achieved utilizing an ACME shopper like Certbot that proves area possession by way of an HTTP-01 (or DNS-01) problem and manages the certificates lifecycle. The HTTP-01 problem checks for a validation token and a key fingerprint situated within the internet server at ” over HTTP port 80.
The CA’s server makes an HTTP GET request to that actual URL to retrieve the file. As soon as the verification succeeds, the certificates is issued and the CA marks the ACME account (i.e., the registered entity on its server) as licensed to handle that particular area.
Within the occasion the problem is utilized by a certificates order managed by Cloudflare, then Cloudflare will reply on the aforementioned path and supply the token offered by the CA to the caller. But when it doesn’t correlate to a Cloudflare-managed order, the request is routed to the shopper origin, which can be utilizing a distinct system for area validation.
The vulnerability, found and reported by FearsOff in October 2025, has to do with a flawed implementation of the ACME validation course of that causes sure problem requests to the URL to disable internet utility firewall (WAF) guidelines and permit it to achieve the origin server when it ought to have been ideally blocked.
In different phrases, the logic didn’t confirm whether or not the token within the request really matched an lively problem for that particular hostname, successfully allowing an attacker to ship arbitrary requests to the ACME path and circumvent WAF protections totally, granting them the flexibility to achieve the origin server.
“Beforehand, when Cloudflare was serving an HTTP-01 problem token, if the trail requested by the caller matched a token for an lively problem in our system, the logic serving an ACME problem token would disable WAF options, since Cloudflare can be straight serving the response,” the corporate defined.
“That is executed as a result of these options can intrude with the CA’s potential to validate the token values and would trigger failures with automated certificates orders and renewals. Nonetheless, within the situation that the token used was related to a distinct zone and never straight managed by Cloudflare, the request can be allowed to proceed onto the shopper origin with out additional processing by WAF rulesets.”
Kirill Firsov, founder and CEO of FearsOff, stated the vulnerability might be exploited by a malicious person to acquire a deterministic, lengthy‑lived token and entry delicate recordsdata on the origin server throughout all Cloudflare hosts, opening the door to reconnaissance.
The vulnerability was addressed by Cloudflare on October 27, 2025, with a code change that serves the response and disables WAF options solely when the request matches a sound ACME HTTP-01 problem token for that hostname.
