High severity8.8NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026
CVE-2026-40611
CVE-2026-40611
Description
Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-acme/lego/v4Go | < 4.34.0 | 4.34.0 |
github.com/go-acme/lego/v3Go | <= 3.9.0 | — |
github.com/go-acme/legoGo | <= 2.7.2 | — |
Affected products
10- osv-coords10 versionspkg:apk/chainguard/sftpgopkg:apk/chainguard/traefik-2.11pkg:apk/chainguard/traefik-3.6pkg:apk/chainguard/traefik-fips-2.11pkg:apk/chainguard/traefik-fips-3.6pkg:apk/wolfi/sftpgopkg:apk/wolfi/traefik-3.6pkg:golang/github.com/go-acme/legopkg:golang/github.com/go-acme/lego/v3pkg:golang/github.com/go-acme/lego/v4
< 2.7.1-r8+ 9 more
- (no CPE)range: < 2.7.1-r8
- (no CPE)range: < 2.11.44-r0
- (no CPE)range: < 3.6.13-r2
- (no CPE)range: < 2.11.44-r0
- (no CPE)range: < 3.6.13-r2
- (no CPE)range: < 2.7.1-r8
- (no CPE)range: < 3.6.13-r2
- (no CPE)range: <= 2.7.2
- (no CPE)range: <= 3.9.0
- (no CPE)range: < 4.34.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.