{“lastseen”:”2026-01-20T11:13:01″,”description”:”\\n\\nCloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment (ACME) validation logic that made it possible to bypass security controls and access origin servers. \\n\\n\\”The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (\/.well-known\/acme-challenge\/*),\\” the web infrastructure company’s Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo said.\\n\\nThe web infrastructure company said it found no evidence that the vulnerability was ever exploited in a malicious context.\\n\\nACME is a communications protocol (RFC 8555) that facilitates automatic issuance, renewal, and revocation of SSL\/TLS certificates. Every certificate provisioned to a website by a certificate authority (CA) is validated using challenges to prove domain ownership.\\n\\n\\n\\nThis process is typically achieved using an ACME client like Certbot that proves domain ownership via an HTTP-01 (or DNS-01) challenge and manages the certificate lifecycle. The HTTP-01 challenge checks for a validation token and a key fingerprint located in the web server at \\”https:\/\/\\u003cYOUR_DOMAIN\\u003e\/.well-known\/acme-challenge\/\\u003cTOKEN\\u003e\\” over HTTP port 80.\\n\\nThe CA’s server makes an HTTP GET request to that exact URL to retrieve the file. Once the verification succeeds, the certificate is issued and the CA marks the ACME account (i.e., the registered entity on its server) as authorized to manage that specific domain.\\n\\nIn the event the challenge is used by a certificate order managed by Cloudflare, then Cloudflare will respond on the aforementioned path and provide the token provided by the CA to the caller. But if it does not correlate to a Cloudflare-managed order, the request is routed to the customer origin, which may be using a different system for domain validation.\\n\\n\\n\\nThe vulnerability, discovered and reported by FearsOff in October 2025, has to do with a flawed implementation of the ACME validation process that causes certain challenge requests to the URL to disable web application firewall (WAF) rules and allow it to reach the origin server when it should have been ideally blocked.\\n\\nIn other words, the logic failed to verify whether the token in the request actually matched an active challenge for that specific hostname, effectively permitting an attacker to send arbitrary requests to the ACME path and circumvent WAF protections entirely, granting them the ability to reach the origin server.\\n\\n\\”Previously, when Cloudflare was serving an HTTP-01 challenge token, if the path requested by the caller matched a token for an active challenge in our system, the logic serving an ACME challenge token would disable WAF features, since Cloudflare would be directly serving the response,\\” the company explained.\\n\\n\\n\\n\\”This is done because those features can interfere with the CA’s ability to validate the token values and would cause failures with automated certificate orders and renewals. However, in the scenario that the token used was associated with a different zone and not directly managed by Cloudflare, the request would be allowed to proceed onto the customer origin without further processing by WAF rulesets.\\”\\n\\nKirill Firsov, founder and CEO of FearsOff, said the vulnerability could be exploited by a malicious user to obtain a deterministic, long\u2011lived token and access sensitive files on the origin server across all Cloudflare hosts, opening the door to reconnaissance.\\n\\nThe vulnerability was addressed by Cloudflare on October 27, 2025, with a code change that serves the response and disables WAF features only when the request matches a valid ACME HTTP-01 challenge token for that hostname.\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2026-01-20T11:12:00″,”modified”:”2026-01-20T11:12:35″,”type”:”thn”,”title”:”Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers”,”source”:””,”references”:””,”id”:”THN:8ED893DD74818287F3F2542D15D21732″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2026\/01\/cloudflare-fixes-acme-validation-bug.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-20T11:13:01″,”description”:”\\n\\nCloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment (ACME) validation logic that made it possible to bypass security controls and access…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-36412","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n