How we mitigated a vulnerability in Cloudflare’s ACME validation logic

2026-01-19

4 min read

by Hrushikesh Deshpande

Tags:

Vulnerabilities

WAF

Security

Network Services

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Cloudflare disclosed and patched a WAF bypass vulnerability in their ACME HTTP-01 challenge validation logic, reported by FearsOff researchers in October 2025.

•The vulnerability caused WAF features to be disabled for requests to /.well-known/acme-challenge/* paths under certain conditions
•When a token matched a challenge associated with a different zone, the request bypassed WAF rulesets and passed to the customer origin unfiltered
•The fix restricts WAF feature disabling only to cases where the request matches a valid ACME HTTP-01 token for the specific hostname being served
•No customer action is required and no evidence of malicious exploitation was found
•The issue was responsibly disclosed via Cloudflare's bug bounty program

How we mitigated a vulnerability in Cloudflare’s ACME validation logic

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture