**ACME Flaw in Cloudflare Allowed Attackers to Reach Origin Servers**

A critical vulnerability has been discovered in Cloudflare's ACME validation logic, allowing attackers to bypass security checks and access protected origin servers.

The issue stemmed from how Cloudflare's edge handled requests to the `/ .well-known/acme-challenge/` path. According to a report by FearsOff, researchers noticed that while testing applications behind Cloudflare with a WAF blocking all but specific sources, requests to `/.well-known/acme-challenge/{token}` bypassed the WAF, reaching the origin server directly.

Demo hosts confirmed the behavior: normal paths returned Cloudflare block pages, but ACME paths returned origin-generated responses (404s) without a real token. To reliably test WAF behavior globally, a stable, pending HTTP-01 token was created via a custom hostname.

When Cloudflare's WAF let `/.well-known/acme-challenge/`... bypass protections, the trust boundary shifted from WAF to origin. Demo apps showed the risk: Spring/Tomcat endpoints exposed sensitive env variables, Next.js SSR pages leaked operational details, and PHP routing exposed files via LFI bugs.

Account-level WAF rules were ignored on this path, enabling header-based attacks (SSRF, SQLi, cache poisoning). FearsOff warns that vulnerabilities like this WAF bypass take on added urgency with evolving AI-driven attacks. Automated tools powered by machine learning can rapidly enumerate and exploit exposed paths like `/.well-known/acme-challenge/`, probing for framework-specific weaknesses or misconfigurations at scale.

Cloudflare fixed the issue on October 27, 2025, restoring consistent WAF enforcement. The company says it found no signs of malicious exploitation. ACME is a protocol that lets certificate authorities verify domain ownership. With HTTP-01, the CA checks a one-time token at a specific URL. If it matches, the certificate is issued.

The process should allow access only to that exact path, and nothing else. However, with this flaw, attackers could gain unauthorized access to sensitive data and exploit vulnerabilities in applications behind Cloudflare.

FearsOff concludes: "The obvious question follows – how many apps still trust headers more than they should, and how many rely on the WAF to stand between that trust and the internet?" As AI-driven attacks continue to evolve, strong WAF protections become increasingly vital to prevent such bypasses and protect against emerging threats.

Cloudflare has since addressed the flaw, but this incident serves as a reminder of the importance of ongoing security monitoring and maintenance. Stay vigilant and stay informed – follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest news and updates on cybersecurity.