Published January 21, 2026
| Version v. 1.7
Journal article
Open
The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026
Authors/Creators
Description
Abstract
This article analyzes NotCVE-2026-0001, a critical security vulnerability in Cloudflare's Universal SSL, where the automatic injection of permissive CAA records actively nullifies the IETF standard RFC 8657. By overriding user-defined account binding parameters, this configuration re-opens the exact security gap exploited in the 2023 jabber.ru MitM attack, leaving millions of domains vulnerable to BGP hijacking and unauthorized TLS certificate issuance. The analysis demonstrates that this is not a technical oversight but a design choice that neutralizes the `accounturi` and `validationmethods` security controls, and argues that Cloudflare must implement strict ACME account binding to mitigate this risk.
Vulnerability Status: Formally Tracked
As of January 21, 2026, this vulnerability is being formally tracked by multiple security coordination bodies:
- CERT/CC (VINCE): Report VU#840183 (Status: Open)
- NotCVE ID: NotCVE-2026-0001[1]
- Severity: CVSS 8.7 (High)
- Attack Vector: Network-based (BGP hijacking, network interception)
- Impact: Critical (Domain Integrity, TLS MITM capability)
- Severity: CVSS 8.7 (High)
Technical Classification
The vulnerability has been formally classified under the following enumeration standards:
- CWE-1188 : Insecure Default Initialization of Resource (Core issue: Cloudflare defaults to insecure CAA injection).
- CWE-693 : Protection Mechanism Failure (Failure of the
accounturirestriction). - CAPEC-94 : Adversary in the Middle (AiTM) (The resulting attack vector).
- CAPEC-584 : BGP Route Disabling / Manipulation (Prerequisite for the attack).
- CAPEC-598 : DNS Spoofing (Alternative network manipulation vector).
TL;DR
The Mechanism
Cloudflare’s Universal SSL injects permissive CAA records that override user DNS constraints, causing certificate authorities to ignore strict account-binding checks.
The Risk
This enables BGP hijacking and network interception to obtain unauthorized TLS certificates by bypassing accounturi and validationmethods.
The Precedent
The configuration replicates the gap exploited in the 2023 jabber.ru MitM, where intercepted traffic satisfied http-01 validation challenges.
The Mitigation
Cloudflare must stop overriding user DNS records or fully implement RFC 8657 to restrict certificate issuance to the domain owner’s authorized ACME account.
UPDATE (January 2026): The Venezuela Confirmation
In January 2026, a massive BGP leak involving Venezuela’s state-owned ISP (CANTV, AS8048) made global headlines. In their analysis of the incident, Cloudflare explicitly stated that “BGP route leaks happen all of the time, and they have always been part of the Internet.” [1a]
This admission highlights exactly why the security gap described in this article is so critical. If BGP leaks are “common” (whether accidental or malicious), then the network layer cannot be trusted for domain validation.
Yet, as detailed below, Cloudflare’s Universal SSL default configuration actively disables the specific IETF standard (RFC 8657) designed to prevent these common BGP leaks from being weaponized to issue fraudulent certificates.
I have opened a new discussion on this specific contradiction with the Cloudflare team.
By David Osipov
Table of contents
1. Audio Overview
2. Video Overview
3. TL;DR
4. The Mechanism
5. The Risk
6. The Precedent
7. The Mitigation
8. Introduction: A Critical Security Gap in Cloudflare’s Universal SSL
9. RFC 8659 vs RFC 8657: The CAA Standards Explained
10. 1. The Basic Standard: RFC 8659 (CAA)
11. 2. The Real Standard: RFC 8657 (The ACME Extensions)
12. Technical Deep Dive: http-01 vs. dns-01
13. The Cloudflare Problem: A “Feature Collision”
14. This Isn’t Just Cloudflare: A Pattern of “Platform vs. Provider”
15. The Industry’s Answer: Multi-Perspective Issuance Corroboration (MPIC)
16. The Princeton connection
17. Implementation timeline
18. Why MPIC doesn’t replace RFC 8657
19. But… Is This Really a Problem? (Yes, It Is)
20. My Attempt to Engage Cloudflare
21. The Core Contradiction: A Business Decision, Not a Technical Lag
22. What Should Be Done (The Fix is Not Complicated)
23. What can be done now?
Other (En)
This investigation began after my own failed attempt to implement RFC 8657 CAA records on my Cloudflare-hosted domains. When I discovered that Cloudflare was silently overwriting my security-hardened CAA records, I realized millions of free-tier users were unknowingly vulnerable to the same MitM attack that compromised jabber.ru in 2023. After a month of silence from Cloudflare's community team, followed by a dismissive response citing 'standard adoption timelines,' I knew this issue needed broader exposure. My subsequent article on Habr.com became the week's top post, confirming the community's concern about this artificial security gap.
Files
Archived_article.1.7.wacz
Files
(72.5 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:ed3785e578b540f50353d9aafc8937a9
|
8.7 MB | Download |
|
md5:fb65ce84dc3e1bbbb8223de549430ba5
|
3.4 MB | Preview Download |
|
md5:805a5e2e45728cb440e5558cb6f9896b
|
96.8 kB | Preview Download |
|
md5:4b9b2ff956c79b2ed419e7988955cca1
|
71.8 kB | Download |
|
md5:2b7e0e62b4306c2b0bb7a3aba3184e22
|
39.4 kB | Download |
|
md5:cab786de0873c1fd5a61c0cb58118c9c
|
96.3 kB | Download |
|
md5:62035767277da1d1c280bfd108a20668
|
40.3 kB | Download |
|
md5:d82c8cfc794254eccb2058b98edf0bae
|
218.8 kB | Preview Download |
|
md5:b4f966c323c6089b0b5ad92c39dc9bb1
|
38.5 MB | Preview Download |
|
md5:96ccb232e8984e489346179f44f2ca82
|
1.6 MB | Preview Download |
|
md5:ab523e019a9cb1894b7bc75eebf1b4ab
|
18.0 MB | Preview Download |
|
md5:d1fad409ff5b5ef0574b16ebdcfb8d43
|
1.8 MB | Preview Download |
Additional details
Additional titles
- Translated title
- Атака на jabber.ru (2023) вскрывает критическую уязвимость Cloudflare в 2026 году
Identifiers
Dates
- Created
-
2025-12-31
- Updated
-
2026-01-05v. 1.1. Added video overview section with embedded YouTube presentation analyzing the security vulnerability.
- Updated
-
2026-01-06v. 1.2. Added audio overview section with accessible HTML5 audio player, properly configured R2 CORS policy, and enhanced WCAG 2.2 AA/WAI-ARIA compliance.
- Updated
-
2026-01-06v. 1.3. Added inline JSON-LD RSL metadata and human-readable CC BY 4.0 license information to the Audio and Video overviews; minor accessibility improvements.
- Updated
-
2026-01-09v. 1.4. Added DOI (10.5281/zenodo.18201412) for citation management and academic discovery systems.
- Updated
-
2026-01-15v. 1.5. Added analysis of the January 2026 Venezuela BGP leak as confirmation of the threat vector. Linked to new Cloudflare Community discussion on RFC 8657 support requirements.
- Updated
-
2026-01-17v. 1.6. Added draft-ietf-acme-dns-persist-00 analysis and industry RFC 8657 support matrix. Integrated Henry Birge-Lee's DNSSEC synergy discussion from CA/B Forum. Clarified account-binding defense mechanisms for multi-tenant platforms. Updated data as of Jan 2026.
- Updated
-
2026-01-21v. 1.7. Integrated independent validation: NotCVE-2026-0001 (CVSS 8.7) and CERT/CC VINCE case VU#840183. Added 'Vulnerability Status' section with technical classifications (CWE/CAPEC). Contextualized Cloudflare's Jan 19 ACME WAF bypass patch as independent fix unrelated to CAA override. Enhanced with semantic HTML tags for dates and data elements.
References
- Cloudflare Community (2025) Critical security gap: Cloudflare must fully support RFC 8657 CAA. Cloudflare Community. Retrieved from https://community.cloudflare.com/t/critical-security-gap-cloudflare-must-fully-support-rfc-8657-caa/799999. Archived 2025-11-29 at https://archive.ph/v45rx.
- ValdikSS (2023) Encrypted traffic interception on Hetzner and Linode targeting the largest russian XMPP (Jabber) messaging service. Retrieved from https://notes.valdikss.org.ru/jabber.ru-mitm/. Archived 2025-10-01 at https://web.archive.org/web/20251001180559/http://notes.valdikss.org.ru/jabber.ru-mitm/.
- Hallam-Baker, P., Stradling, R., Hoffman-Andrews, J. (2019) DNS certification authority authorization (CAA) resource record. RFC Editor. Retrieved from https://doi.org/10.17487/RFC8659.
- Hallam-Baker, P., Stradling, R. (2013) DNS certification authority authorization (CAA) resource record. RFC Editor. Retrieved from https://doi.org/10.17487/RFC6844.
- Landau, H. (2019) Certification authority authorization (CAA) record extensions for account URI and automatic certificate management environment (ACME) method binding. RFC Editor. Retrieved from https://doi.org/10.17487/RFC8657.
- Landau, H. (2023) XMPP CA/jabber.ru incident. Retrieved from https://www.devever.net/~hl/xmpp-incident. Archived 2025-09-03 at https://web.archive.org/web/20250903150526/https://www.devever.net/~hl/xmpp-incident.
- Cloudflare (n.d.) Add CAA records - Cloudflare SSL/TLS docs. Cloudflare. Retrieved from https://developers.cloudflare.com/ssl/edge-certificates/caa-records/. Archived 2025-11-29 at https://web.archive.org/web/20251129082411/https://developers.cloudflare.com/ssl/edge-certificates/caa-records/.
- Cloudflare Community (2025) Cloudflare nameservers ignore CAA record validationmethods and accounturi. Cloudflare Community. Retrieved from https://community.cloudflare.com/t/cloudflare-nameservers-ignore-caa-record-validationmethods-and-accounturi/758109. Archived 2025-11-30 at https://archive.ph/Yiizx.
- Vercel (n.d.) Working with DNS. Vercel. Retrieved from https://vercel.com/docs/domains/working-with-dns. Archived 2025-06-12 at https://web.archive.org/web/20250612154059/https://vercel.com/docs/domains/working-with-dns.
- AWS (n.d.) Set up to use AWS certificate manager. AWS. Retrieved from https://docs.aws.amazon.com/acm/latest/userguide/setup.html#setup-caa. Archived 2025-07-29 at https://web.archive.org/web/20250729205005/https://docs.aws.amazon.com/acm/latest/userguide/setup.html#setup-caa.
- Google Cloud (n.d.) Troubleshoot certificate issuance - Google cloud. Google Cloud. Retrieved from https://docs.cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
- DNSimple Support (2025) CAA record format and policy tags. DNSimple Support. Retrieved from https://support.dnsimple.com/articles/caa-record-format/.
- AWS (2017) Amazon route 53 now supports CAA records. AWS. Retrieved from https://aws.amazon.com/about-aws/whats-new/2017/08/amazon-route-53-now-supports-caa-records/.
- Birge-Lee, H., Sun, Y., Edmundson, A., Rexford, J., Mittal, P. (2018) Bamboozling certificate authorities with BGP. In 27th USENIX Security Symposium (USENIX Security 18). Baltimore, MD. Retrieved from https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee. Archived 2025-10-01 at https://web.archive.org/web/20251012064048/https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee.
- CA/Browser Forum (2024) Ballot sc067v3: Require domain validation and CAA checks to be performed from multiple network perspectives. CA/Browser Forum. Retrieved from https://cabforum.org/2024/08/05/ballot-sc067v3-require-domain-validation-and-caa-checks-to-be-performed-from-multiple-network-perspectives-corroboration. Archived 2025-10-12 at https://web.archive.org/web/20251012064049/https://cabforum.org/2024/08/05/ballot-sc067v3-require-domain-validation-and-caa-checks-to-be-performed-from-multiple-network-perspectives-corroboration.
- Wikipedia (n.d.) DigiNotar - Wikipedia. Wikipedia. Retrieved from https://en.wikipedia.org/wiki/DigiNotar.
- SSLMate (n.d.) Timeline of certificate authority failures. SSLMate. Retrieved from https://sslmate.com/resources/certificate_authority_failures. Archived 2025-09-17 at https://web.archive.org/web/20250917234438/https://sslmate.com/resources/certificate_authority_failures.
- Wilson, K. (2016) Distrusting new wosign and startcom certificates. Retrieved from https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/. Archived 2025-09-21 at https://web.archive.org/web/20250921194325/https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/.
- Gualtieri, M. (2017) Chaining remote web vulnerabilities to abuse let's encrypt. Retrieved from https://www.mike-gualtieri.com/posts/chaining-remote-web-vulnerabilities-to-abuse-lets-encrypt. Archived 2025-09-07 at https://web.archive.org/web/20250907232526/https://www.mike-gualtieri.com/posts/chaining-remote-web-vulnerabilities-to-abuse-lets-encrypt.
- Осипов, Д. (2025) Дыра в щите Cloudflare: как атака на Jabber.ru вскрыла проблему, о которой молчат c 2023. Retrieved from https://habr.com/ru/articles/918570/. Archived 2025-08-12 at https://web.archive.org/web/20250812005512/https://habr.com/ru/articles/918570/.
- Rescorla, E. (2018) The transport layer security (TLS) protocol version 1.3. RFC Editor. Retrieved from https://doi.org/10.17487/RFC8446.
- Iyengar, J., Thomson, M. (2021) QUIC: A UDP-based multiplexed and secure transport. RFC Editor. Retrieved from https://doi.org/10.17487/RFC9000.
- Sullivan, N. (2016) Introducing TLS 1.3. Retrieved from https://blog.cloudflare.com/introducing-tls-1-3/. Archived 2025-08-23 at https://web.archive.org/web/20250823134855/https://blog.cloudflare.com/introducing-tls-1-3/.
- Jones, N. (2018) Get a head start with QUIC. Retrieved from https://blog.cloudflare.com/head-start-with-quic/. Archived 2025-06-20 at https://web.archive.org/web/20250620064636/https://blog.cloudflare.com/head-start-with-quic/.
- Rescorla, E., Oku, K., Sullivan, N., Wood, C. A. (2025) TLS encrypted client hello. Internet Engineering Task Force. Retrieved from https://datatracker.ietf.org/doc/draft-ietf-tls-esni/25/. Work in Progress.
- Patton, C. (2020) Good-bye ESNI, hello ECH!. Retrieved from https://blog.cloudflare.com/encrypted-client-hello/. Archived 2025-09-05 at https://web.archive.org/web/20250905140052/https://blog.cloudflare.com/encrypted-client-hello/.
- Gaudiaut, T. (2025) Cloudflare, a hidden pillar of the internet. Statista. Retrieved from https://www.statista.com/chart/35487/market-share-of-reverse-proxy-services-cloudflare/. Archived 2025-11-30 at https://web.archive.org/web/20251130143159/https://www.statista.com/chart/35487/market-share-of-reverse-proxy-services-cloudflare/?__sso_cookie_checker=failed.
- W3Techs.com (2025) Usage of reverse proxy services for websites, november 2025. W3Techs. Retrieved from https://w3techs.com/technologies/overview/proxy/. Archived 2025-11-30 at https://archive.ph/6fkAS.
- Cloudflare Community (2026) Universal SSL exposes domains to BGP leaks (re: Venezuela analysis). Cloudflare Community. Retrieved from https://community.cloudflare.com/t/universal-ssl-exposes-domains-to-bgp-leaks-re-venezuela-analysis/879930. Archived 2026-01-15 at https://archive.ph/uZsIM.
- Herdes, B. (2026) A closer look at a BGP anomaly in venezuela. Retrieved from https://blog.cloudflare.com/bgp-route-leak-venezuela/. Archived 2026-01-13 at https://web.archive.org/web/20260113015221/https://blog.cloudflare.com/bgp-route-leak-venezuela/.
- Cimaszewski, G., Birge-Lee, H., Wang, L., Rexford, J., Mittal, P. (2023) How effective is multiple-vantage-point domain control validation?. arXiv. Retrieved from https://doi.org/10.48550/arXiv.2302.08000.
- Heurich, S., Birge-Lee, H., Slaughter, M. (2025) Automated certificate management environment (ACME) challenge for persistent DNS TXT record validation (draft-ietf-acme-dns-persist-00). IETF. Retrieved from https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/. Archived 2026-01-17 at https://web.archive.org/web/20260117123622/https://datatracker.ietf.org/doc/draft-ietf-acme-dns-persist/.
- Birge-Lee, H. (2025) The use of DNSSEC by certificate authorities. Server Certificate WG (CA/B Forum). Retrieved from https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/WNGFxQjPkPY. Archived 2026-01-17 at https://web.archive.org/web/20260117120505/https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/WNGFxQjPkPY?pli=1.
- DigiCert (2025) A new DNS validation method for simplified certificate automation. Retrieved from https://www.digicert.com/blog/a-new-dns-validation-method. Archived 2026-01-17 at https://web.archive.org/web/20260117114505/https://www.digicert.com/blog/a-new-dns-validation-method.
- Let's Encrypt Community Support (2023) Issue certificates only to specific agent keys. Let's Encrypt Community Support. Retrieved from https://community.letsencrypt.org/t/issue-certificates-only-to-specific-agent-keys/184283. Archived 2026-01-17 at https://web.archive.org/web/20260117123907/https://community.letsencrypt.org/t/issue-certificates-only-to-specific-agent-keys/184283/5.
- Google Chrome (2025) Chrome root program policy, version 1.7. Google Chrome. Retrieved from https://googlechrome.github.io/chromerootprogram/. Archived 2026-01-06 at https://web.archive.org/web/20260106145919/https://googlechrome.github.io/chromerootprogram/.
- Google Trust Services LLC (2025) Google trust services, certification practice statement v.5.22. Google Trust Services LLC. Retrieved from https://pki.goog/repo/cps/5.22/GTS-CPS.html. Archived 2026-01-17 at https://web.archive.org/web/20260117133043/https://pki.goog/repo/cps/5.22/GTS-CPS.html.
- W3Techs (2026) Cloudflare — W3techs reverse proxy services usage statistics. W3Techs. Retrieved from https://w3techs.com/technologies/details/cn-cloudflare. Archived 2026-01-17 at https://archive.ph/oeQrL.
- Netlify (2023) HTTPS (SSL) | netlify docs. Netlify. Retrieved from https://docs.netlify.com/domains-https/https-ssl/#netlify-managed-certificates. Archived 2026-01-17 at https://web.archive.org/web/20260117025839/https://docs.netlify.com/manage/domains/secure-domains-with-https/https-ssl/#netlify-managed-certificates.
- Let's Encrypt Community Support (2022) PROD support for rfc8657 CAA constraints. Let's Encrypt Community Support. Retrieved from https://community.letsencrypt.org/t/prod-support-for-rfc8657-caa-constraints-for-accounturi-and-validationmethods/181584. Archived 2026-01-17 at https://web.archive.org/web/20260117124118/https://community.letsencrypt.org/t/prod-support-for-rfc8657-caa-constraints-for-accounturi-and-validationmethods/181584.
- University of North Carolina at Charlotte (2024) Let's encrypt using accounturi. University of North Carolina at Charlotte. Retrieved from https://acme-lecaa.charlotte.edu/. Archived 2025-01-14 at https://web.archive.org/web/20250114115101/https://acme-lecaa.charlotte.edu/
- Google Cloud (n.d.) Use Google-managed SSL certificates. Google Cloud. Retrieved from https://docs.cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa. Archived 2026-01-17 at https://web.archive.org/web/20260117152905/https://docs.cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa.
- Netlify Support Forums (2023) Let's encrypt accounturi for CAA record. Netlify Support Forums. Retrieved from https://answers.netlify.com/t/lets-encrypt-accounturi-for-caa-record/103453. Archived 2025-07-10 at https://web.archive.org/web/20250710081402/https://answers.netlify.com/t/lets-encrypt-accounturi-for-caa-record/103453.
- NotCVE.org (2026) Notcve-2026-0001 — Cloudflare universal SSL CAA augmentation. NotCVE.org. Retrieved from https://notcve.org/view.php?id=NotCVE-2026-0001. NotCVE listing. CVSS v3.1: 8.7 (High). Archived 2026-01-21 at https://web.archive.org/web/20260121122026/https://notcve.org/view.php?id=NotCVE-2026-0001.
- Deshpande, H., Mitchell, A., Garofalo, L. (2026) How we mitigated a vulnerability in Cloudflare's ACME validation logic. Retrieved from https://blog.cloudflare.com/acme-path-vulnerability/. Archived 2026-01-19 at https://web.archive.org/web/20260119223010/https://blog.cloudflare.com/acme-path-vulnerability/.