I am the finder and reporter credited in the CVE record for CVE-2026-14440.

This vulnerability concerns Cloudflare Universal SSL’s automatic management of the effective CAA RRset. On affected Universal SSL zones, the CAA RRset served by Cloudflare authoritative DNS can supersede customer-configured CAA records. Consequently, RFC 8657 accounturi and validationmethods constraints may not be visible to the Certificate Authority and are not preserved end-to-end.

Successful exploitation is non-trivial and requires a capable network-level attacker that can satisfy the Certificate Authority’s active domain-validation and Multi-Perspective Issuance Corroboration requirements. There is no public evidence confirming exploitation in the wild against Cloudflare Universal SSL customers.

Customers requiring strict RFC 8657 enforcement should ensure that another valid Cloudflare edge certificate is active before disabling Universal SSL. Certificate Transparency monitoring is useful for detection of misissuance, but it does not prevent certificate issuance and is not a substitute for preventive RFC 8657 enforcement.

Primary and persistent references:

  • CVE record: https://www.cve.org/CVERecord?id=CVE-2026-14440
  • CISA CSAF advisory: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-183-01.json
  • Researcher analysis: https://david-osipov.vision/en/blog/cybersecurity/cloudflare-ssl-mitm-flaw-2026/
  • Archived research release: https://doi.org/10.5281/zenodo.21182737
  • Vulnerability Wikidata item: https://www.wikidata.org/wiki/Q140402353
  • Universal SSL Wikidata item: https://www.wikidata.org/wiki/Q140459847
  • Researcher identity: https://david-osipov.vision/en/about/#person

Related vulnerabilities