CVE-2026-40611

HIGH

Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider

Title source: cna

Description

Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.

References (1)

[X_Refsource_Confirm] https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8

Scores

CVSS v3 8.8

EPSS 0.0005

EPSS Percentile 15.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

go-acme/lego < 4.34.0

Published Apr 21, 2026

Tracked Since Apr 21, 2026