Cloudflare addressed a flaw in its WAF that let attackers bypass security measures and access origin servers during ACME validation. The issue arose from a logic error that disabled WAF features for certain requests, potentially allowing unauthorized access. The company implemented a fix to ensure that WAF features remain active unless the request matches a valid ACME token.