{
  "threat_severity" : "Important",
  "public_date" : "2026-04-21T17:58:35Z",
  "bugzilla" : {
    "description" : "github.com/go-acme/lego: Lego: Arbitrary file write and deletion via path traversal from a malicious ACME server",
    "id" : "2460233",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460233"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "Let's Encrypt client and ACME library written in Go (Lego). Prior to 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing ../ sequences, causing lego to write attacker-influenced content to any path writable by the lego process. This vulnerability is fixed in 4.34.0.", "A flaw was found in lego, the Let's Encrypt client and ACME library written in Go. A malicious ACME (Automated Certificate Management Environment) server can exploit a path traversal vulnerability in the webroot HTTP-01 challenge provider. By supplying a specially crafted challenge token containing directory traversal sequences, the server can cause lego to write or delete files in arbitrary locations on the system where lego is running, potentially leading to system compromise." ],
  "statement" : "The `lego` client, utilized in Red Hat OpenShift Dev Spaces, is susceptible to a path traversal vulnerability within its webroot HTTP-01 challenge provider. A malicious ACME server could exploit this flaw by sending a specially crafted challenge token, enabling arbitrary file write or deletion on the system running `lego`. The impact of this flaw is directly limited to the level of privileges the process running the `lego` client has, since the attacker would be able to create, write or delete only files that the lego's running UID has permission to perform the analogue operation.\nTo exploit this vulnerability the user needs to be tricked to connect to a malicious ACME server or the attacker needs to firstly compromise the ACME server to send the crafted challenge token in order to trigger the path traversal vulnerability.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.28",
    "release_date" : "2026-05-28T00:00:00Z",
    "advisory" : "RHSA-2026:21772",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.28::el9",
    "package" : "devspaces/traefik-rhel9:1779786779"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40611\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40611\nhttps://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8" ],
  "name" : "CVE-2026-40611",
  "mitigation" : {
    "value" : "To mitigate this issue, ensure that the `lego` client only interacts with trusted ACME servers. Additionally, run the `lego` process with the least necessary privileges and in a restricted environment to limit the potential impact of arbitrary file operations. This may involve containerization or specific filesystem access controls.",
    "lang" : "en:us"
  },
  "csaw" : false
}