CVE-2026-40611

high Red Hat
CVSS v3 Base Score
8.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
0.1%
Exploitation probability in 30 days
Top 83% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
High
Integrity
High
Availability
High
Published: April 21, 2026 (79 days ago)
Last Modified: April 21, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in lego, the Let's Encrypt client and ACME library written in Go. A malicious ACME (Automated Certificate Management Environment) server can exploit a path traversal vulnerability in the webroot HTTP-01 challenge provider. By supplying a specially crafted challenge token containing directory traversal sequences, the server can cause lego to write or delete files in arbitrary locations on the system where lego is running, potentially leading to system compromise.

CWE

CWE-22

Affected Products

Red Hat OpenShift Dev Spaces

References