WAF Release - 2026-04-07
This week's release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging "OnEvent" handlers within HTTP cookies.
Key Findings
-
MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution.
-
SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation.
-
XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values.
Impact
Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - 5 - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - 5 - Header | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - 5 - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | MCP Server - Remote Code Execution - CVE:CVE-2026-23744 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | XSS - OnEvents - Cookies | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Evasion - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Evasion - Headers | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Evasion - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - LIKE 3 - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - LIKE 3 - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - UNION - 2 - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - UNION - 2 - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SolarWinds - Auth Bypass - CVE:CVE-2025-40552 | Log | Block | This is a new detection. |