Cloudflare Universal SSL automatically managed CAA RRset supersedes customer-configured CAA records

Summary

CVECVE-2026-14440
StatePUBLISHED
Assignercloudflare
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-01 23:16:52 UTC
Updated2026-07-02 20:17:01 UTC
DescriptionDescription: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue "letsencrypt.org"' without parameters). On Universal SSL zones, Cloudflare's authoritative DNS serves this auto-managed RRset at query time, superseding any customer-configured CAA records on the zone. When a customer publishes a stricter CAA record using the RFC 8657 accounturi or validationmethods parameters, the Certificate Authority does not observe those parameters when evaluating the served RRset under RFC 8659. As a result, the RFC 8657 account-binding and validation-method-binding protections are not enforced end-to-end on Universal SSL zones. Successful exploitation could result in issuance of a browser-trusted TLS certificate to an attacker, enabling MITM against the affected domain. Exploitation is non-trivial in practice: an attacker would need to hold an ACME account at one of the Certificate Authorities in the served CAA RRset and to simultaneously satisfy domain control validation across the multiple geographically distinct Network Perspectives the CA relies on for Multi-Perspective Issuance Corroboration. Cloudflare prefixes are anycast-announced from hundreds of locations globally, raising the bar against single-vantage-point BGP hijacks. Any resulting misissuance of a browser-trusted certificate is subject to Certificate Transparency logging required by major browsers, and would be visible to CT monitoring. Mitigation:  Customers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone. Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both.  Certificate Transparency monitoring is recommended for all customers as a general detection control. Credits: David Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher

Risk And Classification

Primary CVSS: v4.0 7.6 HIGH from [email protected]

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.001350000 probability, percentile 0.033320000 (date 2026-07-05)

Problem Types: CWE-693 | CWE-693 CWE-693 Protection Mechanism Failure


VersionSourceTypeScoreSeverityVector
4.0[email protected]Secondary7.6HIGHCVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C...
4.0CNACVSS7.6HIGHCVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3.1ADPDECLARED6.8MEDIUMCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
3.1134c704f-9b21-4f2e-91b3-4a467353bcc0Secondary6.8MEDIUMCVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0 Breakdown

Attack Vector
Adjacent
Attack Complexity
High
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
None
Sub Conf.
None
Sub Integrity
None
Sub Availability
None

CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1 Breakdown

Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Cloudflare Universal SSL affected current custom Cloud Service

References

ReferenceSourceLinkTags
david-osipov.vision/en/blog/cybersecurity/cloudflare-ssl-mitm-flaw-2026 134c704f-9b21-4f2e-91b3-4a467353bcc0 david-osipov.vision
developers.cloudflare.com/ssl/edge-certificates/universal-ssl/limitations [email protected] developers.cloudflare.com
zenodo.org/records/18330221 134c704f-9b21-4f2e-91b3-4a467353bcc0 zenodo.org
www.rfc-editor.org/rfc/rfc8659 [email protected] www.rfc-editor.org
community.cloudflare.com/t/critical-security-gap-cloudflare-must-fully-support-rfc-865... 134c704f-9b21-4f2e-91b3-4a467353bcc0 community.cloudflare.com
community.cloudflare.com/t/universal-ssl-exposes-domains-to-bgp-leaks-re-venezuela-ana... 134c704f-9b21-4f2e-91b3-4a467353bcc0 community.cloudflare.com
www.rfc-editor.org/rfc/rfc8657 [email protected] www.rfc-editor.org
developers.cloudflare.com/ssl/edge-certificates/caa-records [email protected] developers.cloudflare.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: David Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher (en)

Additional Advisory Data

Solutions

CNA: Customers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone. Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both.  Certificate Transparency monitoring is recommended for all customers as a general detection control.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report