EXECUTIVE SUMMARY:
CVE-2026-40611 with a CVSS score of 8.8 is a path traversal vulnerability in the webroot HTTP-01 provider of various ACME Lego versions. Specifically the affected software includes go/github.com/go-acme/lego/v4 affected versions before 4.34.0 and go/github.com/go-acme/lego/v3 affected versions = 3.9.0. The vulnerability occurs due to the direct concatenation of ACME tokens without validation in the ChallengePath function allowing a malicious ACME server to supply a crafted challenge token containing sequences. This causes the webroot provider to write attacker-influenced content to any path writable by the lego process. An attacker can exploit this vulnerability by using the HTTP-01 challenge solver against a malicious or compromised ACME server achieving remote code execution destroying data escalating privileges or deleting arbitrary files. The impact is significant as a malicious ACME server can achieve unrestricted filesystem write access and delete arbitrary files leading to potential data breaches and system compromise. The prerequisites for exploitation include running lego with the HTTP-01 challenge solver against a malicious or compromised ACME server.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-40611 with a CVSS score of 8.8 is a path traversal vulnerability in the webroot HTTP-01 provider of various ACME Lego versions. Specifically the affected software includes go/github.com/go-acme/lego/v4 affected versions before 4.34.0 and go/github.com/go-acme/lego/v3 affected versions = 3.9.0. The vulnerability occurs due to the direct concatenation of ACME tokens without validation in the ChallengePath function allowing a malicious ACME server to supply a crafted challenge token containing sequences. This causes the webroot provider to write attacker-influenced content to any path writable by the lego process. An attacker can exploit this vulnerability by using the HTTP-01 challenge solver against a malicious or compromised ACME server achieving remote code execution destroying data escalating privileges or deleting arbitrary files. The impact is significant as a malicious ACME server can achieve unrestricted filesystem write access and delete arbitrary files leading to potential data breaches and system compromise. The prerequisites for exploitation include running lego with the HTTP-01 challenge solver against a malicious or compromised ACME server.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update go/github.com/go-acme/lego/v4 to version 4.34.0.
REFERENCES:
The following
reports contain further technical details:
https://github.com/advisories/GHSA-qqx8-2xmm-jrv8