CVE-2026-40611
Path Traversal in Lego Webroot HTTP-01 Allows Arbitrary File Write
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| letsencrypt | lego | to 4.34.0 (exc) |
| go-acme | lego | to 4.34.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-40611 affects the go-acme/lego project's webroot HTTP-01 challenge provider. It arises because the software does not properly validate the ACME challenge token before using it to construct file paths. Specifically, the token is concatenated directly into a file path without sanitization, allowing path traversal sequences like "../".
This means a malicious ACME server can supply a crafted token containing path traversal characters, causing lego to write or delete files outside the intended directory. This can lead to arbitrary file write and deletion anywhere the lego process has write permissions.
The root cause is the lack of enforcement of the ACME specification's token restrictions, which should only allow base64url characters. The vulnerability was fixed in lego version 4.34.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution, data destruction, and privilege escalation.
- An attacker can write arbitrary files to sensitive locations such as cron directories, systemd unit paths, shell profiles, or web application directories, potentially leading to remote code execution.
- Data destruction is possible by overwriting configuration files, TLS certificates, or application state.
- If lego runs with elevated privileges (e.g., as root), an attacker can escalate privileges by writing files anywhere on the filesystem.
- Arbitrary file deletion is also possible via the CleanUp() function, which deletes files based on the unsanitized token.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the lego client version in use is prior to 4.34.0, as versions before this do not sanitize ACME tokens properly, allowing path traversal.
To detect exploitation attempts or presence of malicious files, you can look for unexpected files created outside the intended webroot directory, especially files with path traversal patterns in their names.
Suggested commands include searching for files created by lego in unusual locations such as /tmp or other writable directories that should not contain ACME challenge files.
- Check lego version: `lego --version`
- Find suspicious files possibly created by path traversal: `find /tmp -type f -name '*acme-challenge*'` or `find / -type f -user lego -mtime -7` to find recent files owned by lego user.
- Monitor lego logs for unusual challenge tokens containing '../' sequences.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary file write and deletion by a malicious ACME server, potentially leading to remote code execution, data destruction, and privilege escalation. This can result in unauthorized access, modification, or deletion of sensitive data.
Such unauthorized data manipulation and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of data confidentiality, integrity, and availability.
Specifically, the high impact on confidentiality, integrity, and availability (as indicated by the CVSS score) means that organizations using vulnerable versions of lego may face increased risk of non-compliance due to potential data exposure or loss.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the lego client to version 4.34.0 or later, where the vulnerability has been fixed by proper sanitization of the ACME token.
Until the upgrade can be performed, avoid using the webroot HTTP-01 challenge provider with lego against untrusted or potentially malicious ACME servers.
Restrict the permissions of the lego process to limit writable directories, minimizing the impact of arbitrary file writes or deletions.
Monitor your system for suspicious files or deletions that could indicate exploitation attempts.