CVE-2026-14440

MEDIUMPre-NVD 6.86.8
EchelonGraph scoreMEDIUM confidence

This medium-severity CVE scores 6.8 under CISA-ADP (Vulnrichment) CVSS v3.1 (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 97% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cisa-adp, epss
Trending — 4 sources updated this week
6.8
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Description:

To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue "letsencrypt.org"' without parameters). On Universal SSL zones, Cloudflare's authoritative DNS serves this auto-managed RRset at query time, superseding any customer-configured CAA records on the zone. When a customer publishes a stricter CAA record using the RFC 8657 accounturi or validationmethods parameters, the Certificate Authority does not observe those parameters when evaluating the served RRset under RFC 8659. As a result, the RFC 8657 account-binding and validation-method-binding protections are not enforced end-to-end on Universal SSL zones. Successful exploitation could result in issuance of a browser-trusted TLS certificate to an attacker, enabling MITM against the affected domain.

Exploitation is non-trivial in practice: an attacker would need to hold an ACME account at one of the Certificate Authorities in the served CAA RRset and to simultaneously satisfy domain control validation across the multiple geographically distinct Network Perspectives the CA relies on for Multi-Perspective Issuance Corroboration. Cloudflare prefixes are anycast-announced from hundreds of locations globally, raising the bar against single-vantage-point BGP hijacks. Any resulting misissuance of a browser-trusted certificate is subject to Certificate Transparency logging required by major browsers, and would be visible to CT monitoring.

Mitigation: 

Customers requiring strict RFC 8657 enforcement need to disable Universal SSL on the affected zone.

Universal SSL's automatic CAA management and customer-set RFC 8657 accounturi and validationmethods enforcement are mutually exclusive by the nature of the issue, so there is no in-product workaround that preserves both. 

Certificate Transparency monitoring is recommended for all customers as a general detection control.

Credits:

David Osipov (ORCID: https://orcid.org/0009-0005-2713-9242), independent researcher

CVSS v3
6.8
EG Score
6.8(medium)
EPSS
3.3%
KEV
Not listed

Published

July 2, 2026

Last Modified

July 2, 2026

Advisory Details (6)

Auto-updated Jul 2, 2026
⚠️ Active exploitation confirmed. No patch confirmed yet.
generic

The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026 | Zenodo

https://zenodo.org/records/18330221
generic🔴 Active Exploitation

The 2023 jabber.ru Attack Exposes a Critical Cloudflare Flaw in 2026

https://david-osipov.vision/en/blog/cybersecurity/cloudflare-ssl-mitm-flaw-2026/
generic

RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record | RFC Editor

https://www.rfc-editor.org/rfc/rfc8659
generic

RFC 8657: Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding | RFC Editor

https://www.rfc-editor.org/rfc/rfc8657
generic

Limitations for Universal SSL · Cloudflare SSL/TLS docs

https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/limitations/
generic

Add CAA records · Cloudflare SSL/TLS docs

https://developers.cloudflare.com/ssl/edge-certificates/caa-records/

Vendor Advisories for CVE-2026-14440(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 21× in last 7d / 21× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 00:36 UTCEG score recompute
  2. 2026-07-07 00:36 UTCGHSA enrichment
  3. 2026-07-06 16:27 UTCEPSS rescore
  4. 2026-07-06 02:23 UTCEPSS rescore
  5. 2026-07-06 01:37 UTCEG score recompute
  6. 2026-07-06 01:37 UTCGHSA enrichment
  7. 2026-07-05 02:39 UTCEG score recompute
  8. 2026-07-05 02:38 UTCGHSA enrichment
  9. 2026-07-05 02:30 UTCEPSS rescore
  10. 2026-07-05 02:30 UTCEPSS rescore
  11. 2026-07-04 06:31 UTCEPSS rescore
  12. 2026-07-04 03:39 UTCEG score recompute
  13. 2026-07-04 03:39 UTCGHSA enrichment
  14. 2026-07-03 04:38 UTCEG score recompute 0.80
  15. 2026-07-03 04:38 UTCGHSA enrichment
  16. 2026-07-02 22:05 UTCNVD updateCVSS v3 → 6.8 · severity → MEDIUM
  17. 2026-07-02 16:59 UTCEG score recompute 7.60
  18. 2026-07-02 16:59 UTCGHSA enrichment
  19. 2026-07-02 16:58 UTCNVD updateCVSS v3 → 7.6 · CVSS v4 → 7.6
  20. 2026-07-02 01:19 UTCEG score recompute
  21. 2026-07-02 01:19 UTCGHSA enrichment

Frequently asked(5)

What is CVE-2026-14440?
CVE-2026-14440 is a medium vulnerability published on July 2, 2026. Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design (e.g. 'issue "letsencrypt.org"' without parameters). On Universal SSL zones,…
When was CVE-2026-14440 disclosed?
CVE-2026-14440 was first published in the National Vulnerability Database on July 2, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-14440 actively exploited?
CVE-2026-14440 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 3.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-14440?
CVE-2026-14440 has a CVSS v3.1 base score of 6.8 (CISA-ADP / Vulnrichment enrichment; NVD's own analysis pending).
How do I remediate CVE-2026-14440?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-14440, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-14440

Explore →

Is Your Infrastructure Affected by CVE-2026-14440?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.