PT-2026-54701 · Cloudflare · Universal Ssl

David Osipov

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-14440

CVSS v3.1

6.8

Medium

VectorAV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Cloudflare (affected versions not specified)
Description Cloudflare's Universal SSL feature automatically manages the Certification Authority Authorization (CAA) Resource Record Set (RRset) for customer zones. This auto-managed RRset is permissive and supersedes any customer-configured CAA records. Consequently, when customers implement stricter CAA records using accounturi or validationmethods parameters as defined in RFC 8657, these protections are not enforced. This failure in account-binding and validation-method-binding could allow an attacker to obtain a browser-trusted TLS certificate for the affected domain, potentially enabling Man-in-the-Middle (MITM) attacks. Exploitation requires the attacker to hold an ACME account with a supported Certificate Authority and satisfy domain control validation across multiple geographically distinct network perspectives.
Recommendations Disable Universal SSL on the affected zone to ensure strict RFC 8657 enforcement. Implement Certificate Transparency monitoring as a general detection control.

Exploit

Fix

Protection Mechanism Failure

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14440

Affected Products

Universal Ssl