The externally controlled TOKEN variable (by the ACME server) is used to construct a path into which an externally controlled value $AUTH is written. This can be exploited by the ACME server to overwrite arbitrary files with arbitrary content.

That was fast, thanks!