PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40611 go-acme CVE debrief

CVE-2026-40611 is a high-severity vulnerability in the Lego ACME library, a Go-based client and ACME library. Prior to version 4.34.0, the webroot HTTP-01 challenge provider in Lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing Lego to write attacker-influenced content to any path writable by the Lego process. This vulnerability is fixed in version 4.34.0. The vulnerability has a CVSS score of 8.8 and is classified as HIGH severity.

Vendor
go-acme
Product
lego
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-06-30
Advisory published
2026-04-21
Advisory updated
2026-06-30

Who should care

Organizations using the Lego ACME library for automated certificate management should prioritize patching to version 4.34.0 or later. This includes any entity relying on the library for HTTPS certificate issuance and renewal. Given the high severity and potential for exploitation, defenders should treat this as a critical update.

Technical summary

The vulnerability exists in the webroot HTTP-01 challenge provider of the Lego ACME library. A malicious ACME server can craft a challenge token with ../ sequences, allowing for path traversal. This enables the attacker to write and delete files at any path writable by the Lego process. The issue is resolved in version 4.34.0. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high severity vulnerability.

Defensive priority

Patching to version 4.34.0 or later is the primary mitigation. Defenders should also review their inventory of systems and applications using the vulnerable version of the Lego ACME library and prioritize updates accordingly.

Recommended defensive actions

  • Patch the Lego ACME library to version 4.34.0 or later
  • Review and update inventory of systems and applications using the vulnerable library
  • Monitor for suspicious ACME server interactions
  • Implement additional access controls and file system restrictions for the Lego process
  • Consider compensating controls for temporary mitigation if patching is not immediately feasible

Evidence notes

The CVE record and NVD detail provide official information on the vulnerability. Multiple source references, including GitHub security advisories and Red Hat errata, confirm the vulnerability and provide additional context. The vulnerability is also tracked in various bugzilla and security databases.

Official resources

This article is AI-assisted and based on the supplied source corpus.