CVE-2026-40611
Published: 21 April 2026
Summary
CVE-2026-40611 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the path traversal flaw in Lego versions prior to 4.34.0, eliminating the vulnerability to crafted ACME challenge tokens.
Mandates validation of inputs such as ACME challenge tokens to block path traversal sequences like ../, directly addressing the core sanitization failure.
Limits damage from arbitrary file writes and deletions by enforcing least privilege on the Lego process, restricting writable paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file writes (facilitating T1105 Ingress Tool Transfer of attacker-controlled content) and deletions (enabling T1070.004 File Deletion) to paths writable by the Lego process.
NVD Description
Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge…
more
token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.
Deeper analysisAI
CVE-2026-40611 is a path traversal vulnerability (CWE-22) in the webroot HTTP-01 challenge provider of Lego, a Go-based ACME client library and Let's Encrypt client. Versions of Lego prior to 4.34.0 are affected, where the provider fails to properly sanitize challenge tokens supplied by an ACME server. This allows attackers to include directory traversal sequences such as "../" in the token, enabling arbitrary file writes and deletions to paths writable by the Lego process. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires a malicious or compromised ACME server that the victim interacts with using Lego's webroot HTTP-01 challenge mode, typically during certificate issuance or renewal. An unauthenticated remote attacker (no privileges needed) can craft a challenge token to trick the victim into running Lego, which requires user interaction such as executing the command. Successful exploitation allows the attacker to write arbitrary attacker-influenced content or delete files anywhere writable by the Lego process, potentially leading to high-impact confidentiality, integrity, and availability compromises depending on the process privileges and system configuration.
The GitHub security advisory (GHSA-qqx8-2xmm-jrv8) confirms the issue and states that it is fixed in Lego version 4.34.0. Security practitioners should advise users to upgrade to 4.34.0 or later and review usage of the webroot HTTP-01 provider, considering alternatives like other challenge types if interacting with untrusted ACME servers.
Details
- CWE(s)