{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40611", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T14:07:59.642Z", "datePublished": "2026-04-21T17:58:35.221Z", "dateUpdated": "2026-04-21T19:17:54.210Z"}, "containers": {"cna": {"title": "Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"}], "affected": [{"vendor": "go-acme", "product": "lego", "versions": [{"version": "< 4.34.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:58:35.221Z"}, "descriptions": [{"lang": "en", "value": "Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0."}], "source": {"advisory": "GHSA-qqx8-2xmm-jrv8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:17:50.782641Z", "id": "CVE-2026-40611", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:17:54.210Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40611", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T19:17:50.782641Z"}}}], "references": [{"url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T18:58:11.603Z"}}], "cna": {"title": "Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider", "source": {"advisory": "GHSA-qqx8-2xmm-jrv8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "go-acme", "product": "lego", "versions": [{"status": "affected", "version": "< 4.34.0"}]}], "references": [{"url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8", "name": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T17:58:35.221Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40611", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:17:54.210Z", "dateReserved": "2026-04-14T14:07:59.642Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T17:58:35.221Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0."}], "id": "CVE-2026-40611", "lastModified": "2026-04-22T21:17:23.590", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T18:16:52.457", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server", "id": "2460233", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460233"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in lego, the Let's Encrypt client and ACME library written in Go. A malicious ACME (Automated Certificate Management Environment) server can exploit a path traversal vulnerability in the webroot HTTP-01 challenge provider. By supplying a specially crafted challenge token containing directory traversal sequences, the server can cause lego to write or delete files in arbitrary locations on the system where lego is running, potentially leading to system compromise."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that the `lego` client only interacts with trusted ACME servers. Additionally, run the `lego` process with the least necessary privileges and in a restricted environment to limit the potential impact of arbitrary file operations. This may involve containerization or specific filesystem access controls."}, "name": "CVE-2026-40611", "package_state": [{"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Affected", "package_name": "devspaces/traefik-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}], "public_date": "2026-04-21T17:58:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40611\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40611\nhttps://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8"], "statement": "The `lego` client, utilized in Red Hat OpenShift Dev Spaces, is susceptible to a path traversal vulnerability within its webroot HTTP-01 challenge provider. A malicious ACME server could exploit this flaw by sending a specially crafted challenge token, enabling arbitrary file write or deletion on the system running `lego`. The impact of this flaw is directly limited to the level of privileges the process running the `lego` client has, since the attacker would be able to create, write or delete only files that the lego's running UID has permission to perform the analogue operation.\nTo exploit this vulnerability the user needs to be tricked to connect to a malicious ACME server or the attacker needs to firstly compromise the ACME server to send the crafted challenge token in order to trigger the path traversal vulnerability.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.34.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "lego", "source": "cna", "vendor": "go-acme"}, "product": "lego", "vendor": "go-acme"}], "created": "2026-04-22T11:45:55.654808+00:00", "updated": "2026-04-22T11:45:55.654886+00:00", "vendors": ["go-acme", "go-acme$PRODUCT$lego"]}