Severity by source
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack is over the network/ACME but demands an ACME account and defeating multi-perspective DCV (AC:H); no target privileges (PR:N); misissued cert enables MITM decryption/tampering (C:H/I:H) with no availability impact.
Primary rating from Vendor (cloudflare).
CVSS VectorVendor: cloudflare
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Description:
To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue "letsencrypt.org"' without parameters). On Universal SSL zones, Cloudflare's authoritative DNS serves this auto-managed RRset at query time, superseding any customer-configured CAA records on the zone. When a customer publishes a stricter CAA record using the RFC 8657 accounturi or validationmethods parameters, the Certificate Authority does not observe those parameters when evaluating the served RRset under RFC 8659. As a result, the RFC 8657 account-binding and validation-method-binding protections are not enforced end-to-end on Universal SSL zones. Successful exploitation could result in issuance of a browser-trusted TLS certificate to an attacker, enabling MITM against the affected domain.
Exploitation is non-trivial in practice: an attacker would need to hold an ACME account at one of the Certificate Authorities in the served CAA RRset and to simultaneously satisfy domain control validation across the multiple geographically distinct Network Perspectives the CA relies on for Multi-Perspective Issuance Corroboration. Cloudflare prefixes are anycast-announced from hundreds of locations globally, raising the bar against single-vantage-point BGP hijacks. Any resulting misissuance of a browser-trusted certificate is subject to Certificate Transparency logging required by major browsers, and would be visible to CT monitoring.
Mitigation:
Customers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone.
Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both.
Certificate Transparency monitoring is recommended for all customers as a general detection control.
Credits:
David Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher
AnalysisAI
TLS certificate misissuance affecting Cloudflare Universal SSL zones lets an attacker who controls an ACME account at a CA in the auto-managed CAA RRset obtain a browser-trusted certificate for a victim domain, because Cloudflare's authoritative DNS serves a permissive auto-managed CAA RRset that supersedes customer-set records and drops RFC 8657 accounturi/validationmethods bindings. The result is a bypass of account-binding and validation-method-binding protections end-to-end, enabling MITM against the affected domain. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Cloudflare zone with Universal SSL enabled where the customer relies on RFC 8657 accounturi or validationmethods CAA parameters for issuance restriction - the auto-managed permissive CAA RRset served by Cloudflare authoritative DNS is the enabling condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a real-but-hard-to-exploit issue rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already operates an ACME account at a CA listed in a target's auto-managed CAA RRset requests a certificate for the victim's Universal SSL domain; because the served permissive CAA record lacks the victim's account/method binding, the CA does not reject the request on binding grounds. The attacker then satisfies domain control validation across the CA's multiple network perspectives (a significant hurdle given Cloudflare anycast), obtains a browser-trusted certificate, and uses it to MITM traffic to the domain. … |
| Remediation | There is no vendor-released code patch and no in-product workaround, because Universal SSL's automatic CAA management and customer-enforced RFC 8657 account/method binding are mutually exclusive by design; customers who require strict RFC 8657 enforcement must disable Universal SSL on the affected zone and manage certificates/CAA records themselves, accepting the trade-off of losing Cloudflare's automatic edge certificate issuance and renewal. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Cloudflare Universal SSL-protected domains and document which rely on Cloudflare's auto-managed CAA configuration. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41207
GHSA-vrv9-rjp4-w93c