Yes, this adds a risk which you might judge worth taking.
ACME http-01 validations involve asking an HTTP server for a resource in the .well-known/ reserved URI space with an arbitrary token name, and expecting a reply which contains the token AND a magic value associated with an ACME account.
Ordinarily one configures the server manually each time to respond to requests for a token you know will be used for a single ACME validation you want to succeed.
"Stateless" mode configures the web server to always reply saying the validation is OK for your ACME account, to any request.
Bad Guys can't just use this stateless configuration to get certificates because they don't own your ACME account, if they try to use _their_ ACME account, the validations fail because "stateless" is configured for a single account.
However, if bad guys get your ACME account private key or trick you into configuring one they know, with "stateless" mode they can request certificates at any time and your server will validate the requests automatically.
ACME http-01 validations involve asking an HTTP server for a resource in the .well-known/ reserved URI space with an arbitrary token name, and expecting a reply which contains the token AND a magic value associated with an ACME account.
Ordinarily one configures the server manually each time to respond to requests for a token you know will be used for a single ACME validation you want to succeed.
"Stateless" mode configures the web server to always reply saying the validation is OK for your ACME account, to any request.
Bad Guys can't just use this stateless configuration to get certificates because they don't own your ACME account, if they try to use _their_ ACME account, the validations fail because "stateless" is configured for a single account.
However, if bad guys get your ACME account private key or trick you into configuring one they know, with "stateless" mode they can request certificates at any time and your server will validate the requests automatically.