CVE-2026-40611

Name of the Vulnerable Software and Affected Versions Lego versions prior to 4.34.0

Description The webroot HTTP-01 challenge provider in Lego is subject to arbitrary file write and deletion via path traversal. A malicious ACME server can provide a crafted challenge token containing ../ sequences, which the ChallengePath() function concatenates without validation. This allows the server to influence the file path, causing the software to write or delete content at any location writable by the Lego process. The issue occurs because the software fails to enforce the base64url alphabet constraint for ACME tokens as specified in RFC 8555. The vulnerable logic is present in the ChallengePath() function and the CleanUp() function.

Recommendations Update to version 4.34.0.