Skip to main content

Cloudflare Universal SSL CVE-2026-14440

| EUVDEUVD-2026-41207 HIGH
Improperly Implemented Security Check for Standard (CWE-358)
2026-07-01 cloudflare GHSA-vrv9-rjp4-w93c
7.6
CVSS 4.0 · Vendor: cloudflare
Share

Severity by source

Vendor (cloudflare) PRIMARY
7.6 HIGH
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Attack is over the network/ACME but demands an ACME account and defeating multi-perspective DCV (AC:H); no target privileges (PR:N); misissued cert enables MITM decryption/tampering (C:H/I:H) with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cloudflare).

CVSS VectorVendor: cloudflare

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 23:20 vuln.today

DescriptionCVE.org

Description:

To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue "letsencrypt.org"' without parameters). On Universal SSL zones, Cloudflare's authoritative DNS serves this auto-managed RRset at query time, superseding any customer-configured CAA records on the zone. When a customer publishes a stricter CAA record using the RFC 8657 accounturi or validationmethods parameters, the Certificate Authority does not observe those parameters when evaluating the served RRset under RFC 8659. As a result, the RFC 8657 account-binding and validation-method-binding protections are not enforced end-to-end on Universal SSL zones. Successful exploitation could result in issuance of a browser-trusted TLS certificate to an attacker, enabling MITM against the affected domain.

Exploitation is non-trivial in practice: an attacker would need to hold an ACME account at one of the Certificate Authorities in the served CAA RRset and to simultaneously satisfy domain control validation across the multiple geographically distinct Network Perspectives the CA relies on for Multi-Perspective Issuance Corroboration. Cloudflare prefixes are anycast-announced from hundreds of locations globally, raising the bar against single-vantage-point BGP hijacks. Any resulting misissuance of a browser-trusted certificate is subject to Certificate Transparency logging required by major browsers, and would be visible to CT monitoring.

Mitigation:

Customers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone.

Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both.

Certificate Transparency monitoring is recommended for all customers as a general detection control.

Credits:

David Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher

AnalysisAI

TLS certificate misissuance affecting Cloudflare Universal SSL zones lets an attacker who controls an ACME account at a CA in the auto-managed CAA RRset obtain a browser-trusted certificate for a victim domain, because Cloudflare's authoritative DNS serves a permissive auto-managed CAA RRset that supersedes customer-set records and drops RFC 8657 accounturi/validationmethods bindings. The result is a bypass of account-binding and validation-method-binding protections end-to-end, enabling MITM against the affected domain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register ACME account at listed CA
Delivery
Target Universal SSL zone with strict CAA
Exploit
Request cert bypassing RFC 8657 binding
Execution
Satisfy DCV across CA network perspectives
Persist
Obtain browser-trusted certificate
Impact
MITM victim domain traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires a Cloudflare zone with Universal SSL enabled where the customer relies on RFC 8657 accounturi or validationmethods CAA parameters for issuance restriction - the auto-managed permissive CAA RRset served by Cloudflare authoritative DNS is the enabling condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-hard-to-exploit issue rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already operates an ACME account at a CA listed in a target's auto-managed CAA RRset requests a certificate for the victim's Universal SSL domain; because the served permissive CAA record lacks the victim's account/method binding, the CA does not reject the request on binding grounds. The attacker then satisfies domain control validation across the CA's multiple network perspectives (a significant hurdle given Cloudflare anycast), obtains a browser-trusted certificate, and uses it to MITM traffic to the domain. …
Remediation There is no vendor-released code patch and no in-product workaround, because Universal SSL's automatic CAA management and customer-enforced RFC 8657 account/method binding are mutually exclusive by design; customers who require strict RFC 8657 enforcement must disable Universal SSL on the affected zone and manage certificates/CAA records themselves, accepting the trade-off of losing Cloudflare's automatic edge certificate issuance and renewal. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Cloudflare Universal SSL-protected domains and document which rely on Cloudflare's auto-managed CAA configuration. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy