• Security researchers uncovered a flaw in Cloudflare’s ACME HTTP‑01 challenge handling that disabled WAF protections on specific paths. • The vulnerability was reported via Cloudflare’s bug‑bounty program and validated in October 2025. • Requests to /.well‑known/acme‑challenge/* could bypass WAF rules, potentially exposing origin servers to attacks. • Cloudflare promptly patched the edge‑network logic, restoring full WAF functionality for all ACME challenge traffic. • No evidence exists that malicious actors exploited the flaw before the fix was deployed. • Customers need not take any action; the update is automatically applied across the network.
Article Summaries:
- This post was updated on January 20, 2026. On October 13, 2025, security researchers from FearsOff identified and reported a vulnerability in Cloudflare’s ACME (Automatic Certificate Management Environment) validation logic that disabled some of the WAF features on specific ACME-related paths. The vulnerability was reported and validated through Cloudflareâs bug bounty program. The vulnerability was rooted in how our edge network processed requests destined for the ACME HTTP-01 challenge path (/.well-known/acme-challenge/* ). Here, weâll briefly explain how this protocol works and the action w
- Cloudflare disclosed a bug in its ACME HTTP‑01 challenge handling that was reported by researchers from FearsOff on October 13 2025. The flaw caused the edge network to disable WAF features for certain ACME‑related requests, allowing those requests to reach the origin even when the challenge token did not belong to a Cloudflare‑managed zone. Cloudflare patched the issue with a code change that now only disables WAF when the request matches a valid, Cloudflare‑served challenge token. No customer action is required, and there is no evidence of abuse. The company thanked the researchers for the responsible disclosure.
Sources: