Cloudflare ACME Validation Bug Allows WAF Bypass to Origin Servers

Timeline

1. 20.01.2026 13:12 1 articles · 23h ago

   Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass

   Cloudflare addressed a security vulnerability in its ACME validation logic that could bypass WAF rules and expose origin servers. The flaw allowed requests to the ACME HTTP-01 challenge path to disable WAF protections, potentially granting access to sensitive files. The issue was discovered in October 2025 and fixed on October 27, 2025. No evidence of exploitation was found.

   Show sources

   • Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12

   Open in new tab

Information Snippets

• The vulnerability was in Cloudflare's ACME validation logic for HTTP-01 challenge paths.

  First reported: 20.01.2026 13:12
  1 source, 1 article
  Show sources

  • Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12

• The flaw allowed requests to bypass WAF rules and reach origin servers.

  First reported: 20.01.2026 13:12
  1 source, 1 article
  Show sources

  • Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12

• The issue was discovered and reported by FearsOff in October 2025.

  First reported: 20.01.2026 13:12
  1 source, 1 article
  Show sources

  • Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12

• Cloudflare fixed the vulnerability on October 27, 2025.

  First reported: 20.01.2026 13:12
  1 source, 1 article
  Show sources

  • Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12

• No evidence of exploitation was found.

  First reported: 20.01.2026 13:12
  1 source, 1 article
  Show sources

  • Cloudflare Fixes ACME Validation Bug Allowing WAF Bypass to Origin Servers — thehackernews.com — 20.01.2026 13:12