Cloudflare has patched a flaw that let carefully crafted traffic skirt its Web Application Firewall and reach some customers’ origin servers. The weakness sat in ACME HTTP-01 certificate validation, the behind-the-scenes process that automates SSL and TLS certificate issuance and renewals.
FearsOff researchers reported the bug through Cloudflare’s bug bounty program in October 2025. This week, Cloudflare confirmed the fix already runs on its edge network, so customers do not need to take action.
ACME proves domain control by asking a certificate authority to fetch a token from a predictable location, typically /.well-known/acme-challenge/<token>. Because strict WAF rules can interfere with that check, Cloudflare’s edge logic sometimes relaxes a set of WAF features while it serves a valid challenge response. That exception aims to keep automated renewals from failing.
However, the researchers found that Cloudflare’s earlier logic did not fully tie the token to the hostname in the request. As a result, a caller could hit the ACME path with a token that existed in Cloudflare’s system but belonged to a different zone. Cloudflare would relax the WAF features, then forward the request to the origin, which let the attacker bypass WAF rules on that route.
In a blog post dated January 19, 2026 and updated January 20, Cloudflare said it pushed a permanent fix on October 27, 2025. The edge now disables those WAF features only when the request matches a valid ACME HTTP-01 challenge token for that specific hostname, and only when Cloudflare has the correct challenge response to serve. Cloudflare also said it has not seen evidence that anyone abused the bug before the patch.
Still, the episode highlights an uncomfortable truth about modern web stacks: the odd little maintenance hallway can matter as much as the front door. FearsOff compared the WAF to an entryway and ACME to a corridor meant for a certificate robot, not strangers. Meanwhile, attackers keep automating discovery, so predictable paths and special-case logic can draw attention fast, especially when teams treat the edge as the whole security story.
