An update was made on January 20, 2026.
On October 13, 2025, security researchers from FearsOff identified and reported a vulnerability in Cloudflare’s ACME (Automatic Certificate Management Environment) validation logic. This flaw could disable some WAF features on specific ACME-related paths. The vulnerability was reported and validated through Cloudflare’s bug bounty program.
The vulnerability stemmed from how the Cloudflare edge network processed requests for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*).
This article explains how this protocol functions and the steps taken to address the vulnerability.
Cloudflare addressed this vulnerability, and no action is necessary for Cloudflare customers. There is no evidence of any malicious actor abusing this vulnerability.
How ACME works to validate certificates
ACME is a protocol used to automate the issuance, renewal, and revocation of SSL/TLS certificates. When an HTTP-01 challenge is used to validate domain ownership, a Certificate Authority (CA) expects to find a validation token at the HTTP path following the format of http://{customer domain}/.well-known/acme-challenge/{token value}.
If this challenge is used by a certificate order managed by Cloudflare, the system will respond on this path and provide the token from the CA to the caller. If the token provided does not correlate to a Cloudflare-managed order, the request would be passed to the customer origin, as they might be attempting domain validation as part of another system.
The underlying logic flaw
Certain requests to /.well-known/acme-challenge/* could lead to the ACME challenge token serving logic disabling WAF features on a challenge request, allowing it to proceed to the origin when it should have been blocked.
Previously, when the system was serving an HTTP-01 challenge token, if the path requested by the caller matched a token for an active challenge in its system, the logic serving an ACME challenge token would disable WAF features. This occurs because those features can interfere with the CA’s ability to validate token values, potentially causing failures with automated certificate orders and renewals.
However, if the token used was associated with a different zone and not directly managed by Cloudflare, the request would be allowed to proceed to the customer origin without further processing by WAF rulesets.
How this vulnerability was mitigated
To mitigate this issue, a code change was released. This code change only allows the set of security features to be disabled if the request matches a valid ACME HTTP-01 challenge token for the hostname. In such cases, the system has a challenge response to serve back.
Cloudflare customers are protected
As previously mentioned, Cloudflare addressed this vulnerability, and Cloudflare customers do not need to take any action. Additionally, there is no evidence of any malicious actor abusing this vulnerability.
Moving quickly with vulnerability transparency
Appreciation is extended to the external researchers for responsibly disclosing this vulnerability. The Cloudflare community is encouraged to submit any identified vulnerabilities to help improve the security posture of its products and platform.
The trust placed in the platform is recognized as paramount to the success of infrastructure on Cloudflare. Vulnerabilities are handled with utmost concern, with continuous efforts made to mitigate impact. The platform remains committed to prioritizing security and acting swiftly and transparently whenever an issue arises.
