Cloudflare Fixes ACME Validation Vulnerability Allowing Security Bypass and Origin Server Access

Cloudflare has patched a vulnerability affecting its ACME validation logic, which allowed attackers to bypass security controls and access origin servers. The issue stemmed from how its edge network processed requests targeting the ACME HTTP-01 challenge path (/.well-known/acme-challenge/*). The flaw enabled attackers to circumvent Cloudflare’s Web Application Firewall (WAF) rules and directly reach origin servers. No specific discovery or patch date is mentioned. The impact affected customers using ACME for automated TLS certificate management.