I want to share a critical update regarding the security flaw in Cloudflare's infrastructure that I recently analyzed on my blog and on Ru Habr. The issue is in Universal SSL ignoring CAA records and Account Binding (RFC 8657) has officially entered the coordination phase.
Status Update:
NotCVE Assigned: The vulnerability has been registered as NotCVE-2026-0001 (Insecure Default Configuration Nullifying RFC 8657).
VINCE Registration: The report has been accepted by the VINCE vulnerability coordination platform (Carnegie Mellon University / CERT/CC). The case is tracked under VU#840183.
The Core Issue (Summary): On Free and Pro plans, Cloudflare automatically manages SSL issuance and silently injects permissive CAA records for DigiCert, Let's Encrypt, and Google Trust Services. This behavior overrides user-defined security settings - specifically disabling the protection offered by RFC 8657 (CAA Account Binding). Even if you explicitly restrict Certificate Authorities via DNS to prevent unauthorized issuance, Cloudflare's architecture nullifies these controls.
The Attack Vector: This default configuration re-opens the exact architectural gap exploited in the 2023 jabber.ru incident. If an attacker can intercept traffic during the domain validation phase via ACME HTTP-01 mechanism, they can issue a legitimate certificate for your domain through Cloudflare, bypassing your CAA restrictions, and you virtually won't be able to detect this MiTM attack, unless you closely monitor Certificate Transparency logs.
This interception can be achieved via:
Internal Infrastructure Interception at the hosting provider level (as observed within the Hetzner network during the jabber.ru attack).
I am currently awaiting a response from the vendor and the results of the CERT/CC coordination.
Technical Deep-dive: You can read my full analysis of the vulnerability here: The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026
