PT-2026-54701 · Cloudflare · Universal Ssl
David Osipov
·
Published
2026-07-01
·
Updated
2026-07-02
·
CVE-2026-14440
CVSS v3.1
6.8
Medium
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Cloudflare (affected versions not specified)
Description
Cloudflare's Universal SSL feature automatically manages the Certification Authority Authorization (CAA) Resource Record Set (RRset) for customer zones. This auto-managed RRset is permissive and supersedes any customer-configured CAA records. Consequently, when customers implement stricter CAA records using
accounturi or validationmethods parameters as defined in RFC 8657, these protections are not enforced. This failure in account-binding and validation-method-binding could allow an attacker to obtain a browser-trusted TLS certificate for the affected domain, potentially enabling Man-in-the-Middle (MITM) attacks. Exploitation requires the attacker to hold an ACME account with a supported Certificate Authority and satisfy domain control validation across multiple geographically distinct network perspectives.Recommendations
Disable Universal SSL on the affected zone to ensure strict RFC 8657 enforcement.
Implement Certificate Transparency monitoring as a general detection control.
Exploit
Fix
Protection Mechanism Failure
Improperly Implemented Security Check for Standard
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Universal Ssl