Lego ACME Client Vulnerable to Path Traversal, Arbitrary File Write
The National Vulnerability Database has disclosed CVE-2026-40611, a high-severity path traversal vulnerability in Lego, the popular Let’s Encrypt client and ACME library written in Go. Prior to version 4.34.0, Lego’s webroot HTTP-01 challenge provider is susceptible to arbitrary file write and deletion. This flaw carries a CVSS score of 8.8 (HIGH).
Attackers can exploit this by operating a malicious ACME server. Such a server could supply a specially crafted challenge token containing directory traversal sequences (e.g., ../). This malicious token would trick the vulnerable Lego client into writing attacker-influenced content to any file path writable by the Lego process, or even deleting existing files. This is a critical arbitrary file write primitive.
For defenders, this means a compromised or malicious ACME server could gain arbitrary write access on systems running vulnerable Lego clients. This could lead to code execution, data manipulation, or denial of service. The fix is available in Lego version 4.34.0. Organizations must prioritize upgrading their Lego deployments immediately to mitigate this significant risk.
What This Means For You
- If your organization uses the Lego ACME client for Let's Encrypt certificate management, you must immediately verify your version. If you are running anything prior to 4.34.0, you are exposed to arbitrary file write and deletion via a malicious ACME server. Patch to 4.34.0 without delay.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40611 - Lego ACME Client Path Traversal Arbitrary File Write
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40611 | Path Traversal | Lego (Let's Encrypt client and ACME library written in Go) prior to version 4.34.0 |
| CVE-2026-40611 | Arbitrary File Write | Lego (Let's Encrypt client and ACME library written in Go) prior to version 4.34.0 via webroot HTTP-01 challenge provider |
| CVE-2026-40611 | Arbitrary File Deletion | Lego (Let's Encrypt client and ACME library written in Go) prior to version 4.34.0 via webroot HTTP-01 challenge provider |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 21, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Daily Security Digest — 2026-04-21
21 vulnerability disclosures (5 Critical, 16 High) and 4 curated intelligence stories from 3 sources.
CVE-2026-6744 — Bagisto Server-Side Request Forgery
CVE-2026-6744 — A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results...
Kyverno Policy Engine Flaw Leaks Service Account Tokens
CVE-2026-40868 — Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer...