Cloudflare WAF Bypass Flaw Exposed Origins via ACME Path, Patch Deployed

January 19, 2026 at 09:59 PM

•

1 min read

Cloudflare WAF Bypass Flaw Exposed Origins via ACME Path, Patch Deployed — Photo: Cyber Security News

TL;DR Summary

Researchers disclosed a critical flaw in Cloudflare’s edge processing that allowed requests to the ACME HTTP-01 validation path (/.well-known/acme-challenge/) to bypass WAF rules and reach origin servers, potentially exposing data across common frameworks (e.g., Spring/Tomcat, Next.js, PHP). Cloudflare issued a fix on Oct 27, 2025 ensuring ACME traffic is evaluated by WAF rules again; no customer action is required and there’s no evidence of exploitation in the wild.

Topics:business #acme-http-01 #certificate-validation #cloudflare #cybersecurity #origin-servers #web-application-firewall

Share this article

Cloudflare Zero-Day Vulnerability Enables Any Host Access Bypassing Protections Cyber Security News
How we mitigated a vulnerability in Cloudflare’s ACME validation logic The Cloudflare Blog
Leland Garofalo The Cloudflare Blog

Reading Insights

Total Reads

Unique Readers

Time Saved

53 min

vs 54 min read

Condensed

99%

10,672 → 68 words

Want the full story? Read the original article

Read on Cyber Security News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights