CVE-2026-40611
published 2026-04-21CVE-2026-40611: Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file…
PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.34%
25.8th percentile
Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devspaces | traefik-rhel9 | — | — |
| github.com | go-acme_lego | 0 – 2.7.2 | — |
| github.com | go-acme_lego_v3 | 0 – 3.9.0 | — |
| github.com | go-acme_lego_v4 | >= 0 < 4.34.0 | 4.34.0 |
| go-acme | lego | < 4.34.0 | 4.34.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server
vendor_redhat·2026-04-21·CVSS 8.8
CVE-2026-40611 [HIGH] CWE-22 github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server
github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server
A flaw was found in lego, the Let's Encrypt client and ACME library written in Go. A malicious ACME (Automated Certificate Management Environment) server can exploit a path traversal vulnerability in the webroot HTTP-01 challenge provider. By supplying a specially crafted challenge token containing directory traversal sequences, the server can cause lego to write or delete files in arbitrary locations on the system where lego is running, potentially leading to system compromise.
Statement: The `lego` client, utilized in Red Hat OpenShift Dev Spaces, is susceptible to a path traversal vulnerability within its webroot HTTP-01 challenge provider. A malicious ACME server could exp
VulDB
go-acme lego up to 4.33.x path traversal (GHSA-qqx8-2xmm-jrv8)
vuldb·2026-04-21·CVSS 8.8
CVE-2026-40611 [HIGH] go-acme lego up to 4.33.x path traversal (GHSA-qqx8-2xmm-jrv8)
A vulnerability described as critical has been identified in go-acme lego up to 4.33.x. The impacted element is an unknown function. Executing a manipulation can lead to path traversal.
This vulnerability is tracked as CVE-2026-40611. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
GHSA
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
ghsa·2026-04-16
CVE-2026-40611 [HIGH] CWE-22 ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider
### Summary
The webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing `../` sequences, causing lego to write attacker-influenced content to any path writable by the lego process.
### Details
The `ChallengePath()` function in `challenge/http01/http_challenge.go:26-27` constructs the challenge file path by directly concatenating the ACME token without any validation:
```go
func ChallengePath(token string) string {
return "/.well-known/acme-challenge/" + token
}
```
The webroot provider in `providers/http/webroot/webroot.go:31` then joins this with the configured webroot director
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40611 golang-github-acme-lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server [fedora-all]
bugzilla·2026-04-24·CVSS 8.8
CVE-2026-40611 [HIGH] CVE-2026-40611 golang-github-acme-lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server [fedora-all]
CVE-2026-40611 golang-github-acme-lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40611 github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server
bugzilla·2026-04-21·CVSS 8.8
CVE-2026-40611 [HIGH] CVE-2026-40611 github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server
CVE-2026-40611 github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server
Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.
https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8https://access.redhat.com/errata/RHSA-2026:21772https://access.redhat.com/security/cve/CVE-2026-40611https://bugzilla.redhat.com/show_bug.cgi?id=2460233https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40611.json
2026-04-21
Published