Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers
Jan 20, 2026
Web Security / Vulnerability
Cloudflare has addressed a security vulnerability impacting its Automatic Certificate Management Environment ( ACME ) validation logic that made it possible to bypass security controls and access origin servers . "The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*)," the web infrastructure company's Hrushikesh Deshpande, Andrew Mitchell, and Leland Garofalo said. The web infrastructure company said it found no evidence that the vulnerability was ever exploited in a malicious context. ACME is a communications protocol ( RFC 8555 ) that facilitates automatic issuance, renewal, and revocation of SSL/TLS certificates. Every certificate provisioned to a website by a certificate authority (CA) is validated using challenges to prove domain ownership. This process is typically achieved using an ACME client like Certbot that proves domain ownership via an HTTP-01 (or DNS-01) ...
