Vulnerability in Cloudflare's Universal SSL Affecting DNS Management
CVE-2026-14440
What is CVE-2026-14440?
Cloudflare's Universal SSL feature automatically manages the Certificate Authority Authorization (CAA) resource records for customer zones, which can lead to improper validation of stricter CAA conditions. When the Universal SSL zones serve an auto-managed CAA RRset, they override any customer-defined CAA records, allowing potentially unauthorized issuance of TLS certificates. If a customer sets strict CAA parameters using RFC 8657's accounturi or validationmethods, those protections may not be enforced properly, leaving the door open for attackers to exploit this issue and acquire browser-trusted certificates. Exploitation of this vulnerability requires advanced capabilities, including control over an ACME account at a Certificate Authority and domain control validation across multiple global perspectives. Mitigation includes disabling Universal SSL to enforce stricter CAA settings and monitoring Certificate Transparency to detect any certificate misissuance.
Affected Version(s)
Universal SSL Cloud Service 0
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
