CVE-2026-40611: Lego ACME Path Traversal Vulnerability

CVE-2026-40611 Overview

CVE-2026-40611 is a path traversal vulnerability affecting Lego, the Let's Encrypt client and ACME library written in Go. Prior to version 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process.

Critical Impact
A malicious ACME server can leverage this path traversal vulnerability to write arbitrary files to the system, potentially enabling remote code execution, configuration tampering, or complete system compromise depending on the privileges of the lego process.

Affected Products

Lego ACME client versions prior to 4.34.0
Applications using the lego Go library for ACME protocol operations
Systems utilizing the webroot HTTP-01 challenge provider

Discovery Timeline

2026-04-21 - CVE CVE-2026-40611 published to NVD
2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-40611

Vulnerability Analysis

This vulnerability (CWE-22: Path Traversal) exists in the webroot HTTP-01 challenge provider component of the lego ACME client library. The HTTP-01 challenge is a common method used by ACME servers (like Let's Encrypt) to verify domain ownership, requiring the client to place a specific file in a well-known location on the web server.

The vulnerability arises because lego fails to properly sanitize the challenge token received from the ACME server before using it to construct file paths. When a malicious ACME server sends a challenge token containing directory traversal sequences (such as ../), the client blindly uses this value to construct the destination path for writing the challenge response file.

This allows an attacker controlling a rogue ACME server to write attacker-controlled content to arbitrary locations on the filesystem, limited only by the permissions of the process running lego.

Root Cause

The root cause is insufficient input validation of the ACME challenge token. The webroot challenge provider constructs file paths by concatenating user-controlled input (the challenge token) with a base directory path without properly validating or sanitizing the token value. The library fails to reject or sanitize tokens containing path traversal sequences like ../ or absolute paths, allowing directory escape.

Attack Vector

The attack requires user interaction in the form of initiating a certificate request against a malicious or compromised ACME server. The attack flow is as follows:

An attacker sets up a malicious ACME server or compromises an existing one
A victim configures lego to request a certificate from this malicious server using the webroot HTTP-01 challenge
The malicious server responds with a crafted challenge token containing path traversal sequences (e.g., ../../../../etc/cron.d/malicious)
Lego constructs the file path by appending the malicious token to the webroot directory
The path traversal sequences cause lego to write the challenge response (containing attacker-influenced content) outside the intended webroot directory
Depending on the target path and process privileges, this can result in arbitrary file creation, code execution, or system compromise

The vulnerability requires network access and user interaction (initiating the certificate request), but once triggered, can have severe consequences including full system compromise.

Detection Methods for CVE-2026-40611

Indicators of Compromise

Unexpected files appearing outside the webroot .well-known/acme-challenge/ directory structure
Files with names containing .. or unusual path patterns in ACME challenge directories
Lego process writing to unexpected system directories such as /etc/cron.d, /etc/ssh, or other sensitive locations
Modified system configuration files coinciding with certificate renewal operations

Detection Strategies

Monitor file system operations performed by lego processes for writes outside expected webroot directories
Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation or modification
Review ACME server configurations and ensure only trusted certificate authorities are configured
Audit network connections from lego to identify communications with unexpected or untrusted ACME servers

Monitoring Recommendations

Enable comprehensive logging for certificate management operations and file system access
Configure alerting for any file writes by ACME clients to paths outside designated challenge directories
Monitor for the creation of new scheduled tasks, SSH keys, or service configurations coinciding with certificate operations
Implement network monitoring to detect connections to non-standard ACME endpoints

How to Mitigate CVE-2026-40611

Immediate Actions Required

Upgrade lego to version 4.34.0 or later immediately
Review ACME server configurations to ensure only trusted certificate authorities are used
Audit systems running vulnerable versions for signs of compromise, particularly unauthorized file modifications
Run lego processes with minimal filesystem permissions to limit potential impact

Patch Information

The vulnerability is fixed in lego version 4.34.0. Users should upgrade to this version or later to remediate the vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory.

Workarounds

If upgrading is not immediately possible, avoid using the webroot HTTP-01 challenge provider until the patch is applied
Consider using alternative challenge types such as DNS-01 that do not involve file system operations
Implement strict file system permissions to limit write access for the lego process to only the required challenge directory
Use containerization or sandboxing to isolate the lego process and restrict its file system access

bash

# Configuration example - Restrict lego process permissions
# Create a dedicated user with limited permissions
useradd -r -s /bin/false lego-service

# Set restrictive permissions on webroot challenge directory
chown lego-service:lego-service /var/www/html/.well-known/acme-challenge
chmod 755 /var/www/html/.well-known/acme-challenge

# Run lego with restricted user
sudo -u lego-service lego --webroot /var/www/html/.well-known/acme-challenge --domains example.com run

CVE-2026-40611 Overview

Critical Impact
A malicious ACME server can leverage this path traversal vulnerability to write arbitrary files to the system, potentially enabling remote code execution, configuration tampering, or complete system compromise depending on the privileges of the lego process.

Affected Products

Lego ACME client versions prior to 4.34.0
Applications using the lego Go library for ACME protocol operations
Systems utilizing the webroot HTTP-01 challenge provider

Discovery Timeline

2026-04-21 - CVE CVE-2026-40611 published to NVD
2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-40611

Vulnerability Analysis

This allows an attacker controlling a rogue ACME server to write attacker-controlled content to arbitrary locations on the filesystem, limited only by the permissions of the process running lego.

Root Cause

Attack Vector

The attack requires user interaction in the form of initiating a certificate request against a malicious or compromised ACME server. The attack flow is as follows:

An attacker sets up a malicious ACME server or compromises an existing one
A victim configures lego to request a certificate from this malicious server using the webroot HTTP-01 challenge
The malicious server responds with a crafted challenge token containing path traversal sequences (e.g., ../../../../etc/cron.d/malicious)
Lego constructs the file path by appending the malicious token to the webroot directory
The path traversal sequences cause lego to write the challenge response (containing attacker-influenced content) outside the intended webroot directory
Depending on the target path and process privileges, this can result in arbitrary file creation, code execution, or system compromise

The vulnerability requires network access and user interaction (initiating the certificate request), but once triggered, can have severe consequences including full system compromise.

Detection Methods for CVE-2026-40611

Indicators of Compromise

Unexpected files appearing outside the webroot .well-known/acme-challenge/ directory structure
Files with names containing .. or unusual path patterns in ACME challenge directories
Lego process writing to unexpected system directories such as /etc/cron.d, /etc/ssh, or other sensitive locations
Modified system configuration files coinciding with certificate renewal operations

Detection Strategies

Monitor file system operations performed by lego processes for writes outside expected webroot directories
Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation or modification
Review ACME server configurations and ensure only trusted certificate authorities are configured
Audit network connections from lego to identify communications with unexpected or untrusted ACME servers

Monitoring Recommendations

Enable comprehensive logging for certificate management operations and file system access
Configure alerting for any file writes by ACME clients to paths outside designated challenge directories
Monitor for the creation of new scheduled tasks, SSH keys, or service configurations coinciding with certificate operations
Implement network monitoring to detect connections to non-standard ACME endpoints

How to Mitigate CVE-2026-40611

Immediate Actions Required

Upgrade lego to version 4.34.0 or later immediately
Review ACME server configurations to ensure only trusted certificate authorities are used
Audit systems running vulnerable versions for signs of compromise, particularly unauthorized file modifications
Run lego processes with minimal filesystem permissions to limit potential impact

Patch Information

Workarounds

If upgrading is not immediately possible, avoid using the webroot HTTP-01 challenge provider until the patch is applied
Consider using alternative challenge types such as DNS-01 that do not involve file system operations
Implement strict file system permissions to limit write access for the lego process to only the required challenge directory
Use containerization or sandboxing to isolate the lego process and restrict its file system access

bash

# Configuration example - Restrict lego process permissions
# Create a dedicated user with limited permissions
useradd -r -s /bin/false lego-service

# Set restrictive permissions on webroot challenge directory
chown lego-service:lego-service /var/www/html/.well-known/acme-challenge
chmod 755 /var/www/html/.well-known/acme-challenge

# Run lego with restricted user
sudo -u lego-service lego --webroot /var/www/html/.well-known/acme-challenge --domains example.com run

CVE-2026-40611: Lego ACME Path Traversal Vulnerability

CVE-2026-40611 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40611

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40611

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40611

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-40611: Lego ACME Path Traversal Vulnerability

CVE-2026-40611 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40611

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40611

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40611

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform