Home / Security updates / Security Advisory: Cloudflare ACME Path Vulnerability
Security Advisory: Cloudflare ACME Path Vulnerability
Security updates detail rendered from /security-updates/upd_e060e5f8e6ec9f9e.
Overview
| ID | upd_e060e5f8e6ec9f9e |
| Collection | Security Updates |
| Provider | SafeBase |
| Company | Kurtosys Systems |
| URL | - |
| Counts | - |
| Updated | - |
Raw record
| Field | Value |
|---|---|
| id | upd_e060e5f8e6ec9f9e |
| providerId | safebase |
| organizationId | org_1f8785214562fef5 |
| trustCenterId | tc_f0793fe2755be3ab |
| title | Security Advisory: Cloudflare ACME Path Vulnerability |
| message | We want to reassure our clients that a recently disclosed zero-day vulnerability in Cloudflare’s ACME validation logic has **already been fully remediated** by Cloudflare and **has not and will not impact the security of our platform or our clients’ digital assets**. On **19 January 2026**, Cloudflare published details of a vulnerability affecting how certain ACME HTTP-01 certificate validation requests to the following path were handled: Under specific conditions, this behaviour could have resulted in Cloudflare Web Application Firewall (WAF) protections being bypassed during certificate validation. --- ## Cloudflare Remediation Status Cloudflare has **fully patched** the issue through a code change that ensures WAF and associated security controls remain enforced, except where explicitly required for legitimate ACME challenge responses. - The fix has been **globally deployed** - No customer action was required - Cloudflare has confirmed there is **no evidence of exploitat |
| url | - |
| publishedAt | 2026-01-20 |
| source | {
"field": "statuspage/public/compliance-update",
"category": "vulnerabilities"
} |
| company | {
"id": "org_1f8785214562fef5",
"name": "Kurtosys Systems",
"domains": [
"trust.kurtosys.com",
"kurtosys.com"
]
} |
| trust_center | {
"id": "tc_f0793fe2755be3ab",
"name": "Kurtosys Systems",
"url": "https://trust.kurtosys.com",
"host": "trust.kurtosys.com"
} |
| provider | {
"id": "safebase",
"name": "SafeBase"
} |
| links | {
"self": "/v1/security-updates/upd_e060e5f8e6ec9f9e",
"company": "/v1/companies/org_1f8785214562fef5",
"trust_center": "/v1/trust-centers/tc_f0793fe2755be3ab",
"provider": "/v1/providers/safebase"
} |
Get this page with API
Rendered from the bluedoor Trust Centers API. Reproduce it:
GET https://api.bluedoor.sh/trust-centers/v1/security-updates/upd_e060e5f8e6ec9f9eJSON