CVE-2026-14440
Received Received - Intake

CAA Bypass in Cloudflare Universal SSL

Vulnerability report for CVE-2026-14440, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Cloudflare, Inc.

Description

Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue "letsencrypt.org"' without parameters). On Universal SSL zones, Cloudflare's authoritative DNS serves this auto-managed RRset at query time, superseding any customer-configured CAA records on the zone. When a customer publishes a stricter CAA record using the RFC 8657 accounturi or validationmethods parameters, the Certificate Authority does not observe those parameters when evaluating the served RRset under RFC 8659. As a result, the RFC 8657 account-binding and validation-method-binding protections are not enforced end-to-end on Universal SSL zones. Successful exploitation could result in issuance of a browser-trusted TLS certificate to an attacker, enabling MITM against the affected domain. Exploitation is non-trivial in practice: an attacker would need to hold an ACME account at one of the Certificate Authorities in the served CAA RRset and to simultaneously satisfy domain control validation across the multiple geographically distinct Network Perspectives the CA relies on for Multi-Perspective Issuance Corroboration. Cloudflare prefixes are anycast-announced from hundreds of locations globally, raising the bar against single-vantage-point BGP hijacks. Any resulting misissuance of a browser-trusted certificate is subject to Certificate Transparency logging required by major browsers, and would be visible to CT monitoring. Mitigation:Β  Customers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone. Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both.Β  Certificate Transparency monitoring is recommended for all customers as a general detection control. Credits: David Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cloudflare universal_ssl *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves Cloudflare's Universal SSL feature, which automatically manages the CAA DNS records for customers' zones to issue and renew TLS certificates. The auto-managed CAA record is permissive and overrides any stricter customer-configured CAA records that use RFC 8657 parameters like accounturi or validationmethods.

Because the Certificate Authority (CA) evaluates the permissive auto-managed CAA record instead of the stricter customer record, the protections intended by RFC 8657 for account-binding and validation-method-binding are not enforced end-to-end on Universal SSL zones.

This flaw could allow an attacker who controls an ACME account at a CA listed in the permissive CAA record and can pass domain control validation to obtain a browser-trusted TLS certificate for the affected domain, potentially enabling man-in-the-middle (MITM) attacks.

Exploitation is difficult because it requires control over an ACME account and passing multi-perspective domain validation, and any misissuance would be logged in Certificate Transparency logs.

Compliance Impact

This vulnerability allows the issuance of browser-trusted TLS certificates to attackers by bypassing strict CAA record enforcement, potentially enabling man-in-the-middle (MITM) attacks against affected domains.

Such unauthorized certificate issuance could undermine the security guarantees expected by standards and regulations like GDPR and HIPAA, which require strong protections for data in transit.

However, exploitation is non-trivial due to the need for domain control validation across multiple network perspectives and the global distribution of Cloudflare's infrastructure.

Certificate Transparency logging and monitoring provide detection mechanisms for any misissuance, which can help organizations maintain compliance by identifying and responding to potential certificate misuse.

To maintain strict compliance, customers requiring enforcement of RFC 8657 protections should disable Universal SSL on affected zones, as the automatic CAA management conflicts with strict enforcement.

Impact Analysis

If exploited, this vulnerability could allow an attacker to obtain a valid TLS certificate for your domain without proper authorization, enabling them to impersonate your website.

This could lead to man-in-the-middle (MITM) attacks where attackers intercept or alter communications between your users and your site, potentially compromising sensitive data.

However, exploitation is non-trivial due to the need for an ACME account at a trusted CA and passing multi-perspective domain validation checks.

Additionally, any misissued certificates would be publicly logged in Certificate Transparency logs, allowing detection of such attacks.

Detection Guidance

Detection of this vulnerability involves monitoring Certificate Transparency logs to identify any misissuance of browser-trusted TLS certificates for your domain.

There are no specific commands provided to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, customers requiring strict RFC 8657 enforcement should disable Universal SSL on the affected zone.

Since Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive, there is no in-product workaround that preserves both.

It is also recommended to use Certificate Transparency monitoring as a general detection control.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14440. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart