CVE-2026-40611: ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider

April 16, 2026 (updated April 27, 2026)

The webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process.

References

github.com/advisories/GHSA-qqx8-2xmm-jrv8
github.com/go-acme/lego
github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8
nvd.nist.gov/vuln/detail/CVE-2026-40611

Code Behaviors & Features

Detect and mitigate CVE-2026-40611 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →