PatchSiren cyber security CVE debrief
CVE-2026-40611 go-acme CVE debrief
CVE-2026-40611 is a high-severity vulnerability in the Lego ACME library, a Go-based client and ACME library. Prior to version 4.34.0, the webroot HTTP-01 challenge provider in Lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing Lego to write attacker-influenced content to any path writable by the Lego process. This vulnerability is fixed in version 4.34.0. The vulnerability has a CVSS score of 8.8 and is classified as HIGH severity.
- Vendor
- go-acme
- Product
- lego
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-06-30
Who should care
Organizations using the Lego ACME library for automated certificate management should prioritize patching to version 4.34.0 or later. This includes any entity relying on the library for HTTPS certificate issuance and renewal. Given the high severity and potential for exploitation, defenders should treat this as a critical update.
Technical summary
The vulnerability exists in the webroot HTTP-01 challenge provider of the Lego ACME library. A malicious ACME server can craft a challenge token with ../ sequences, allowing for path traversal. This enables the attacker to write and delete files at any path writable by the Lego process. The issue is resolved in version 4.34.0. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high severity vulnerability.
Defensive priority
Patching to version 4.34.0 or later is the primary mitigation. Defenders should also review their inventory of systems and applications using the vulnerable version of the Lego ACME library and prioritize updates accordingly.
Recommended defensive actions
- Patch the Lego ACME library to version 4.34.0 or later
- Review and update inventory of systems and applications using the vulnerable library
- Monitor for suspicious ACME server interactions
- Implement additional access controls and file system restrictions for the Lego process
- Consider compensating controls for temporary mitigation if patching is not immediately feasible
Evidence notes
The CVE record and NVD detail provide official information on the vulnerability. Multiple source references, including GitHub security advisories and Red Hat errata, confirm the vulnerability and provide additional context. The vulnerability is also tracked in various bugzilla and security databases.
Official resources
-
CVE-2026-40611 CVE record
CVE.org
-
CVE-2026-40611 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.