How we mitigated a vulnerability in Cloudflare’s ACME validation logic

Cloudflare disclosed and patched a vulnerability in its ACME HTTP-01 challenge handling where certain requests to /.well-known/acme-challenge/* could disable WAF features and be forwarded to customer origins when they should have been blocked; the issue was reported via a bug bounty, has been fixed, and there is no evidence of abuse or required customer action.