Skip to content
Cloudflare Docs
Docs DirectoryAPIsSDKs

Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS View RSS feeds
Application security
hero image

  1. Unified workspace for Brand Protection

    Security Center

    We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping between individual queries, you can now consolidate your workflow into a single, cohesive view.

    What's new

    • You can now elect multiple saved queries from your dashboard to generate a consolidated "Combined Matches" view. This allows you to triage results from different brand queries in one unified table
    • You can open query extended views in distinct tabs within the Brand Protection dashboard. This enables you to maintain multiple investigation contexts simultaneously and switch between them without losing your place.
    • You can reset your workspace using the new "Clear Selection" action, making it easier to pivot between different investigation sets.

    Key benefits

    • Eliminate fragmented workflows by viewing all matches across different query buckets in a single table, reducing the need to click through dozens of individual query pages
    • Correlate related campaigns by seeing similar domains or infrastructure patterns that appear across multiple saved queries

    Learn more in our Brand Protection documentation.

  1. WAF Release - 2026-04-27

    WAF

    This week's release focuses on new improvements to enhance coverage.

    Key Findings

    • Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.

    Continuous Rule Improvements

    We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/APostgreSQL - SQLi - COPY - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "PostgreSQL - SQLi - COPY - Body (ID: ). The rule previously known as "PostgreSQL - SQLi - COPY" is now renamed to "PostgreSQL - SQLi - COPY - Body".

    Cloudflare Managed Ruleset N/APostgreSQL - SQLi - COPY - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/APostgreSQL - SQLi - COPY - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - AND/OR MAKE_SET/ELT - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - AND/OR MAKE_SET/ELT - Body" (ID: ). The rule previously known as "SQLi - AND/OR MAKE_SET/ELT" is now renamed to "SQLi - AND/OR MAKE_SET/ELT - Body".

    Cloudflare Managed Ruleset N/ASQLi - AND/OR MAKE_SET/ELT - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - AND/OR MAKE_SET/ELT - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Common Patterns - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - Common Patterns - Body" (ID: ). The rule previously known as "SQLi - Common Patterns" is now renamed to "SQLi - Common Patterns - Body".

    Cloudflare Managed Ruleset N/ASQLi - Common Patterns - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Common Patterns - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Equation - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - Equation - Body" (ID: ). The rule previously known as "SQLi - Equation" is now renamed to "SQLi - Equation - Body".

    Cloudflare Managed Ruleset N/ASQLi - Equation - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Equation - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - AND/OR Digit Operator Digit - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit - Body" (ID: ). The rule previously known as "SQLi - AND/OR Digit Operator Digit" is now renamed to "SQLi - AND/OR Digit Operator Digit - Body".

    Cloudflare Managed Ruleset N/ASQLi - AND/OR Digit Operator Digit - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - AND/OR Digit Operator Digit - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Benchmark Function - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - Benchmark Function - Body" (ID: ). The rule previously known as "SQLi - Benchmark Function" is now renamed to "SQLi - Benchmark Function - Body".

    Cloudflare Managed Ruleset N/ASQLi - Benchmark Function - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Benchmark Function - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Comparison - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - Comparison - Body" (ID: ). The rule previously known as "SQLi - Comparison" is now renamed to "SQLi - Comparison - Body".

    Cloudflare Managed Ruleset N/ASQLi - Comparison - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Comparison - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - String Concatenation - Body - BetaLogBlockThis is a new detection. This rule is merged into the original rule "SQLi - String Concatenation - Headers" (ID: ).The rule previously known as "SQLi - String Concatenation - Headers" is now renamed to "SQLi - String Concatenation - Body".
    Cloudflare Managed Ruleset N/ASQLi - String Concatenation - HeadersLogBlockThis is a new detection.(Former Id was )
    Cloudflare Managed Ruleset N/ASQLi - String Concatenation - URILogBlockThis is a new detection. (Former Id was )
    Cloudflare Managed Ruleset N/ASQLi - SELECT Expression - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - SELECT Expression - Body" (ID: ). The rule previously known as "SQLi - SELECT Expression" is now renamed to "SQLi - SELECT Expression - Body".

    Cloudflare Managed Ruleset N/ASQLi - SELECT Expression - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - SELECT Expression - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - ORD and ASCII - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - ORD and ASCII- Body" (ID: ). The rule previously known as "SQLi - ORD and ASCII" is now renamed to "SQLi - ORD and ASCII- Body".

    Cloudflare Managed Ruleset N/ASQLi - ORD and ASCII - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - ORD and ASCII - HeadersLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Destructive OperationsLogBlockThis is a new detection.

  1. WAF Release - Scheduled changes for 2026-05-04

    WAF
    Announcement DateRelease DateRelease BehaviorLegacy Rule IDRule IDDescriptionComments
    2026-04-272026-05-04DisabledN/A Command Injection - Generic 9 - Body Vector - Beta

    This is a new detection. This rule will be merged into the original rule "Command Injection - Generic 9 - Body Vector" (ID: )

    2026-04-272026-05-04DisabledN/A Command Injection - Generic 9 - Header Vector - Beta

    This is a new detection. This rule will be merged into the original rule "Command Injection - Generic 9 - Header Vector" (ID: )

    2026-04-272026-05-04DisabledN/A Command Injection - Generic 9 - URI Vector - Beta

    This is a new detection. This rule will be merged into the original rule "Command Injection - Generic 9 - URI Vector" (ID: )

    2026-04-272026-05-04DisabledN/A Command Injection - Sleep - Beta

    This is a new detection. This rule will be merged into the original rule "Command Injection - Sleep" (ID: )

    2026-04-272026-05-04DisabledN/A Command Injection - Sleep - Headers

    This is a new detection.

    2026-04-272026-05-04DisabledN/A Command Injection - Sleep - URI

    This is a new detection.

    2026-04-272026-05-04DisabledN/A Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808

    This is a new detection.

    2026-04-272026-05-04LogN/A SmarterMail - Remote Code Execution - CVE:CVE-2026-24423

    This is a new detection.

    2026-04-272026-05-04DisabledN/A SQLi - DROP - 2 - URI

    This is a new detection.

    2026-04-272026-05-04DisabledN/A SQLi - DROP - 2 - Headers

    This is a new detection.

    2026-04-272026-05-04DisabledN/A SQLi - DROP - 2 - Beta

    This is a new detection. This rule will be merged into the original rule "SQLi - DROP - 2" (ID: )

    2026-04-272026-05-04DisabledN/A PHP Object Injection - 2 - URI

    This is a new detection.

    2026-04-272026-05-04DisabledN/A PHP Object Injection - 2 - Headers

    This is a new detection.

    2026-04-272026-05-04DisabledN/A PHP Object Injection - 2 - Body - Beta

    This is a new detection. This rule will be merged into the original rule "PHP Object Injection - 2" (ID: )

    2026-04-272026-05-04DisabledN/A Remote Code Execution - Common Bash Bypass - Body - Beta

    This is a new detection. This rule will be merged into the original rule "Remote Code Execution - Common Bash Bypass" (ID: )

    2026-04-272026-05-04DisabledN/A Remote Code Execution - Common Bash Bypass - URI

    This is a new detection.

    2026-04-272026-05-04DisabledN/A Remote Code Execution - Common Bash Bypass - Headers

    This is a new detection.

    2026-04-212026-05-04LogN/A XSS, HTML Injection - Object Tag - Body (beta)This is a new detection.
    2026-04-212026-05-04LogN/A XSS, HTML Injection - Object Tag - Headers (beta)This is a new detection.
    2026-04-212026-05-04LogN/A XSS, HTML Injection - Object Tag - URI (beta)This is a new detection.

  1. WAF Release - 2026-04-21

    WAF

    This week's release introduces a new detection for a Remote Code Execution (RCE) vulnerability in Apache ActiveMQ (CVE-2026-34197) and an updated signature for Magento 2 - Unrestricted File Upload. Alongside these detections, we are continuing our work on rule refinements to provide deeper security insights for our customers.

    Key Findings

    • Apache ActiveMQ (CVE-2026-34197): A vulnerability in Apache ActiveMQ allows an unauthenticated, remote attacker to execute arbitrary code. This flaw occurs during the processing of specially crafted network packets, leading to potential full system compromise.

    • Magento 2 - Unrestricted File Upload - 2: This is a follow-up enhancement to our existing protections for Magento and Adobe Commerce.

    Impact

    Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain full administrative control over affected servers. We strongly recommend applying official vendor patches for Apache ActiveMQ and Magento to address the underlying vulnerabilities.

    Continuous Rule Improvements

    We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/ACommand Injection - Generic 8 - uriLogBlockThis is a new detection. Previous description was "Command Injection - Generic 8 - uri - Beta"
    Cloudflare Managed Ruleset N/ACommand Injection - Generic 8 - body - BetaDisabledDisabled

    This is a new detection. This rule is merged into the original rule "Command Injection - Generic 8 - body" (ID: ). The rule previously known as "Command Injection - Generic 8" is now renamed to "Command Injection - Generic 8 - body".

    Cloudflare Managed Ruleset N/AMySQL - SQLi - Executable Comment - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "MySQL - SQLi - Executable Comment - Body" (ID: ) The rule previously known as "MySQL - SQLi - Executable Comment" is now renamed to "MySQL - SQLi - Executable Comment - Body".

    Cloudflare Managed Ruleset N/AMySQL - SQLi - Executable Comment - HeadersLogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/AMySQL - SQLi - Executable Comment - URILogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/AMagento 2 - Unrestricted file upload - 2LogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/AApache ActiveMQ - Remote Code Execution - CVE:CVE-2026-34197LogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/ASQLi - Sleep Function - BetaLogBlock

    This is a new detection. This rule is merged into the original rule "SQLi - Sleep Function" (ID: )

    Cloudflare Managed Ruleset N/ASQLi - Sleep Function - HeadersLogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/ASQLi - Sleep Function - URILogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/ASQLi - Probing - uriLogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/ASQLi - Probing - headerLogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/ASQLi - Probing - bodyDisabledDisabled

    This is a new detection. This rule is merged into the original rule "SQLi - Probing" (ID: )

    Cloudflare Managed Ruleset N/ASQLi - Probing 2 DisabledDisabled

    This rule had duplicate detection logic and has been deprecated.

    Cloudflare Managed Ruleset N/ASQLi - UNION in MSSQL - BodyDisabledDisabled

    This rule has been renamed to differentiate from "SQLi - UNION in MSSQL" (ID: ) and contains updated rule logic.

    Cloudflare Managed Ruleset N/ASQLi - UNION - 3DisabledDisabled

    This rule had duplicate detection logic and has been deprecated.

    Cloudflare Managed Ruleset N/AXSS, HTML Injection - Embed Tag - URIDisabledDisabled

    This is a new detection.

    Cloudflare Managed Ruleset N/AXSS, HTML Injection - Embed Tag - HeadersLogBlock

    This is a new detection.

    Cloudflare Managed Ruleset N/AXSS, HTML Injection - IFrame Tag - Src and Srcdoc Attributes - HeadersLogDisabled

    This is a new detection.

    Cloudflare Managed Ruleset N/AXSS, HTML Injection - Link Tag - HeadersLogDisabled

    This is a new detection.

    Cloudflare Managed Ruleset N/AXSS, HTML Injection - Link Tag - URIDisabledDisabled

    This is a new detection.

  1. WAF Release - 2026-04-15

    WAF

    This week's release introduces a new detection for a critical Remote Code Execution (RCE) vulnerability in Mesop (CVE-2026-33057), alongside protections for high-impact vulnerabilities in Cisco Secure Firewall Management Center (CVE-2026-20079) and FortiClient EMS (CVE-2026-21643). Additionally, this release includes an update to our existing React Server DoS coverage to address recently identified resource exhaustion vectors (CVE-2026-23869).

    Key Findings

    • Cisco Secure FMC (CVE-2026-20079): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) that allows an unauthenticated, remote attacker to execute arbitrary commands or bypass security filters.

    • FortiClient EMS (CVE-2026-21643): A critical vulnerability in the FortiClient EMS permitting unauthorized access or administrative configuration manipulation via crafted HTTP requests.

    • Mesop (CVE-2026-33057): A vulnerability in the Mesop Python-based UI framework where unauthenticated attackers can execute arbitrary code by sending specially crafted, Base64-encoded payloads in the request body.

    Impact

    Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, gain administrative control over network management infrastructure, or trigger server-side resource exhaustion. Administrators are strongly encouraged to apply official vendor updates.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/ACisco Secure FMC - RCE via upgradeReadinessCall - CVE:CVE-2026-20079LogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/AFortiClient EMS - Pre-Auth SQL Injection - CVE:CVE-2026-21643LogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/AMesop - Remote Code Execution - Base64 Payload - CVE:CVE-2026-33057LogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/AReact Server - DOS - CVE:CVE-2026-23864 - 1 - BetaLogBlockThis rule has been merged into the original rule "React Server - DOS - CVE:CVE-2026-23864 - 1" (ID: )
    Cloudflare Managed Ruleset N/AXSS, HTML Injection - Link Tag - URI (beta)N/ADisabledThis is a new detection.
    Cloudflare Managed Ruleset N/AXSS, HTML Injection - Embed Tag - URI (beta)N/ADisabledThis is a new detection.

  1. Email obfuscation decode script is now non-render-blocking

    WAF

    The decode script injected by Email Address Obfuscation now loads with the defer attribute. This means the script no longer blocks page rendering. It downloads in parallel with HTML parsing and executes after the document is fully parsed, before the DOMContentLoaded event.

    This improves page loading performance, contributing to better Core Web Vitals, for all zones with Email Address Obfuscation on. No action is required.

    If you have custom JavaScript that depends on email addresses being decoded at a specific point during page load, note that the decode script now executes after HTML parsing completes rather than inline during parsing.

  1. Real-time alerts and daily digests for Threat Events

    Security Center

    You can now automate your threat monitoring by setting up custom alerts in your saved views. Instead of manually checking the dashboard for updates, you can subscribe to notifications that trigger whenever new data matches your specific filter sets, like new activity associated to a particular threat actor or spikes in activity within your industry.

    Stay ahead of emerging threats

    By linking your saved views to the Cloudflare Notifications Center, you can ensure the right information reaches your team at the right time.

    • Immediate Alerts: receive real-time notifications the moment a critical event is detected that matches your saved criteria. This is essential for high-priority monitoring, such as tracking active campaigns from specific APT groups.

    • Daily Digests: opt for a summarized report delivered once a day. This is ideal for maintaining situational awareness of broader trends, like regional activity shifts or industry-wide threat landscapes, without cluttering your inbox.

    Threat Events notifications

    How to get started

    To set up an alert, go to Application Security > Threat Intelligence > Threat Events. From there:

    1. Choose your datasets and apply your desired filters and select Save View (or select an existing one).
    2. Open the Manage Saved Views menu.
    3. Select Add Alert next to your chosen view to configure your notification preferences in the Cloudflare dashboard.

    For more technical details on configuring notifications, refer to the Threat Events documentation.

  1. Manage mTLS and BYO CA certificates from the Cloudflare dashboard

    SSL/TLS

    You can now manage mutual TLS (mTLS) and Bring Your Own Certificate Authority (BYO CA) configurations directly from the Cloudflare dashboard — no API required.

    Previously, these advanced workflows required the Cloudflare API. The following are now available in the dashboard:

    • AOP certificate management — Upload and manage your own certificate authorities for Authenticated Origin Pulls (AOP) directly from the dashboard.
    • BYO Client mTLS certificate management — Upload and manage your own CA certificates for client mTLS enforcement without needing API access.
    • CDN hostname to client mTLS certificate mapping — Associate client mTLS certificates with specific hostnames directly from the dashboard.

  1. WAF Release - 2026-04-07

    WAF

    This week's release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging "OnEvent" handlers within HTTP cookies.

    Key Findings

    • MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution.

    • SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation.

    • XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values.

    Impact

    Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/AGeneric Rules - Command Execution - 5 - BodyLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/AGeneric Rules - Command Execution - 5 - HeaderLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/AGeneric Rules - Command Execution - 5 - URILogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/AMCP Server - Remote Code Execution - CVE:CVE-2026-23744LogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/AXSS - OnEvents - CookiesLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Evasion - BodyLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Evasion - HeadersLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - Evasion - URILogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - LIKE 3 - BodyLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - LIKE 3 - URILogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - UNION - 2 - BodyLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/ASQLi - UNION - 2 - URILogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/ASolarWinds - Auth Bypass - CVE:CVE-2025-40552LogBlockThis is a new detection.

  1. New QUIC RTT and delivery rate fields

    Rules

    Two new fields are now available in rule expressions that surface Layer 4 transport telemetry from the client connection. Together with the existing cf.timings.client_tcp_rtt_msec field, these fields give you a complete picture of connection quality for both TCP and QUIC traffic — enabling transport-aware rules without requiring any client-side changes.

    Previously, QUIC RTT and delivery rate data was only available via the Server-Timing: cfL4 response header. These new fields make the same data available directly in rule expressions, so you can use them in Transform Rules, WAF Custom Rules, and other phases that support dynamic fields.

    New fields

    FieldTypeDescription
    cf.timings.client_quic_rtt_msecIntegerThe smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds. Only populated for QUIC (HTTP/3) connections. Returns 0 for TCP connections.
    cf.edge.l4.delivery_rateIntegerThe most recent data delivery rate estimate for the client connection, in bytes per second. Returns 0 when L4 statistics are not available for the request.

    Example: Route slow connections to a lightweight origin

    Use a request header transform rule to tag requests from high-latency connections, so your origin can serve a lighter page variant:

    Rule expression:

    cf.timings.client_tcp_rtt_msec > 200 or cf.timings.client_quic_rtt_msec > 200

    Header modifications:

    OperationHeader nameValue
    SetX-High-Latencytrue

    Example: Match low-bandwidth connections

    cf.edge.l4.delivery_rate > 0 and cf.edge.l4.delivery_rate < 100000

    For more information, refer to Request Header Transform Rules and the fields reference.

  1. WAF Release - 2026-03-30

    WAF

    This week's release introduces new detections for a critical authentication bypass vulnerability in Fortinet products (CVE-2025-59718), alongside three new generic detection rules designed to identify and block HTTP Parameter Pollution attempts. Additionally, this release includes targeted protection for a high-impact unrestricted file upload vulnerability in Magento and Adobe Commerce.

    Key Findings

    • CVE-2025-59718: An improper cryptographic signature verification vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication using a maliciously crafted SAML message, if that feature is enabled on the device.

    • Magento 2 - Unrestricted File Upload: A critical flaw in Magento and Adobe Commerce allows unauthenticated attackers to bypass security checks and upload malicious files to the server, potentially leading to Remote Code Execution (RCE).

    Impact

    Successful exploitation of the Fortinet and Magento vulnerabilities could allow unauthenticated attackers to gain administrative control or deploy webshells, leading to complete server compromise and data theft.



    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/AGeneric Rules - Parameter Pollution - BodyLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/A Generic Rules - Parameter Pollution - Header - Form Log Disabled This is a new detection.
    Cloudflare Managed Ruleset N/A Generic Rules - Parameter Pollution - URI Log Disabled This is a new detection.
    Cloudflare Managed Ruleset N/AMagento 2 - Unrestricted file uploadLogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/AFortinet FortiCloud SSO - Authentication Bypass - CVE:CVE-2025-59718LogBlockThis is a new detection.

  1. New mTLS certificate fields for Transform Rules

    Rules

    Cloudflare now exposes four new fields in the Transform Rules phase that encode client certificate data in RFC 9440 format. Previously, forwarding client certificate information to your origin required custom parsing of PEM-encoded fields or non-standard HTTP header formats. These new fields produce output in the standardized Client-Cert and Client-Cert-Chain header format defined by RFC 9440, so your origin can consume them directly without any additional decoding logic.

    Each certificate is DER-encoded, Base64-encoded, and wrapped in colons. For example, :MIIDsT...Vw==:. A chain of intermediates is expressed as a comma-separated list of such values.

    New fields

    FieldTypeDescription
    cf.tls_client_auth.cert_rfc9440StringThe client leaf certificate in RFC 9440 format. Empty if no client certificate was presented.
    cf.tls_client_auth.cert_rfc9440_too_largeBooleantrue if the leaf certificate exceeded 10 KB and was omitted. In practice this will almost always be false.
    cf.tls_client_auth.cert_chain_rfc9440StringThe intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediate certificates were sent or if the chain exceeded 16 KB.
    cf.tls_client_auth.cert_chain_rfc9440_too_largeBooleantrue if the intermediate chain exceeded 16 KB and was omitted.

    The chain encoding follows the same ordering as the TLS handshake: the certificate closest to the leaf appears first, working up toward the trust anchor. The root certificate is not included.

    Example: Forwarding client certificate headers to your origin server

    Add a request header transform rule to set the Client-Cert and Client-Cert-Chain headers on requests forwarded to your origin server. For example, to forward headers for verified, non-revoked certificates:

    Rule expression:

    cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked

    Header modifications:

    OperationHeader nameValue
    SetClient-Certcf.tls_client_auth.cert_rfc9440
    SetClient-Cert-Chaincf.tls_client_auth.cert_chain_rfc9440

    To get the most out of these fields, upload your client CA certificate to Cloudflare so that Cloudflare validates the client certificate at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked.

    For more information, refer to Mutual TLS authentication, Request Header Transform Rules, and the fields reference.

  1. Web Assets fields now available in GraphQL Analytics API

    API Shield

    Two new fields are now available in the httpRequestsAdaptive and httpRequestsAdaptiveGroups GraphQL Analytics API datasets:

    • webAssetsOperationId — the ID of the saved endpoint that matched the incoming request.
    • webAssetsLabelsManaged — the managed labels mapped to the matched operation at the time of the request (for example, cf-llm, cf-log-in). At most 10 labels are returned per request.

    Both fields are empty when no operation matched. webAssetsLabelsManaged is also empty when no managed labels are assigned to the matched operation.

    These fields allow you to determine, per request, which Web Assets operation was matched and which managed labels were active. This is useful for troubleshooting downstream security detection verdicts — for example, understanding why AI Security for Apps did or did not flag a request.

    Refer to Endpoint labeling service for GraphQL query examples.

  1. WAF Release - 2026-03-23

    WAF

    This week's release focuses on new improvements to enhance coverage.

    Key Findings

    • Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.



    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/ACommand Injection - Generic 9 - URI VectorLogDisabledThis is a new detection.
    Cloudflare Managed Ruleset N/A Command Injection - Generic 9 - Header Vector Log Disabled This is a new detection.
    Cloudflare Managed Ruleset N/A Command Injection - Generic 9 - Body Vector Log Disabled This is a new detection.
    Cloudflare Managed Ruleset N/APHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta)LogBlockThis rule has been merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID: )

  1. Stream logs from multiple replicas of Cloudflare Tunnel simultaneously

    Cloudflare Tunnel Cloudflare Tunnel for SASE

    In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

    View replicas and stream logs from multiple connectors

    Previously, you could only stream logs from one replica at a time. With this update:

    • Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.
    • Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

    For more information, refer to Tunnel log streams and Deploy replicas.

  1. Manage Cloudflare Tunnels with Wrangler

    Cloudflare Tunnel Workers

    You can now manage Cloudflare Tunnels directly from Wrangler, the CLI for the Cloudflare Developer Platform. The new wrangler tunnel commands let you create, run, and manage tunnels without leaving your terminal.

    Wrangler tunnel commands demo

    Available commands:

    • wrangler tunnel create — Create a new remotely managed tunnel.
    • wrangler tunnel list — List all tunnels in your account.
    • wrangler tunnel info — Display details about a specific tunnel.
    • wrangler tunnel delete — Delete a tunnel.
    • wrangler tunnel run — Run a tunnel using the cloudflared daemon.
    • wrangler tunnel quick-start — Start a free, temporary tunnel without an account using Quick Tunnels.

    Wrangler handles downloading and managing the cloudflared binary automatically. On first use, you will be prompted to download cloudflared to a local cache directory.

    These commands are currently experimental and may change without notice.

    To get started, refer to the Wrangler tunnel commands documentation.

  1. Worker execution timing field now available in Rules

    Rules

    The cf.timings.worker_msec field is now available in the Ruleset Engine. This field reports the wall-clock time that a Cloudflare Worker spent handling a request, measured in milliseconds.

    You can use this field to identify slow Worker executions, detect performance regressions, or build rules that respond differently based on Worker processing time, such as logging requests that exceed a latency threshold.

    Field details

    FieldTypeDescription
    cf.timings.worker_msecIntegerThe time spent executing a Cloudflare Worker in milliseconds. Returns 0 if no Worker was invoked.

    Example filter expression:

    cf.timings.worker_msec > 500

    For more information, refer to the Fields reference.

  1. Real-time logo match preview

    Security Center

    We are introducing Logo Match Preview, bringing the same pre-save visibility to visual assets that was previously only available for string-based queries. This update allows you to fine-tune your brand detection strategy before committing to a live monitor.

    What’s new:

    • Upload your brand logo and immediately see a sample of potential matches from recently detected sites before finalizing the query
    • Adjust your similarity score (from 75% to 100%) and watch the results refresh in real-time to find the balance between broad detection and noise reduction
    • Review the specific logos triggered by your current settings to ensure your query is capturing the right level of brand infringement

    If you are ready to test your brand assets, go to the Brand Protection dashboard to try the new preview tool.

  1. New Security Overview UI

    Security Overview

    The Security Overview has been updated to provide Application Security customers with more actionable insights and a clearer view of their security posture.

    Key improvements include:

    • Criticality for all Insights: Every insight now includes a criticality rating, allowing you to prioritize the most impactful security action items first.
    • Detection Tools Section: A new section displays the security detection tools available to you, indicating which are currently enabled and which can be activated to strengthen your defenses.
    • Industry Peer Comparison (Enterprise customers): A new module from Security Reports benchmarks your security posture against industry peers, highlighting relative strengths and areas for improvement.
    New Security Overview UI

    For more information, refer to Security Overview.

  1. WAF Release - 2026-03-12 - Emergency

    WAF

    This week's release introduces new detections for vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340), alongside a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts within the Content-Security-Policy (CSP) HTTP request header.

    Key Findings

    • CVE-2026-1281 & CVE-2026-1340: Ivanti Endpoint Manager Mobile processes HTTP requests through Apache RevwriteMap directives that pass user-controlled input to Bash scripts (/mi/bin/map-appstore-url and /mi/bin/map-aft-store-url). Bash scripts do not sanitize user input and are vulnerable to shell arithmetic expansion thereby allowing attackers to achieve unauthenticated remote code execution.
    • Generic XSS in CSP Header: This rule identifies malicious payloads embedded within the request's Content-Security-Policy header. It specifically targets scenarios where web frameworks or applications trust and extract values directly from the CSP header in the incoming request without sufficient validation. Attackers can provide crafted header values to inject scripts or malicious directives that are subsequently processed by the server.

    Impact

    Successful exploitation of Ivanti EPMM vulnerability allows unauthenticated remote code execution and generic XSS in CSP header allows attackers to inject malicious scripts during page rendering. In environments using server-side caching, this poisoned XSS content can subsequently be cached and automatically served to all visitors.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/AIvanti EPMM - Code Injection - CVE:CVE-2026-1281 CVE:CVE-2026-1340LogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/AAnomaly:Header:Content-Security-PolicyN/ABlockThis is a new detection.

  1. New Vulnerability Scanner for API Shield

    API Shield

    Introducing Cloudflare's Web and API Vulnerability Scanner (Open Beta)

    Cloudflare is launching the Open Beta of the Web and API Vulnerability Scanner for all API Shield customers. This new, stateful Dynamic Application Security Testing (DAST) platform helps teams proactively find logic flaws in their APIs.

    The initial release focuses on detecting Broken Object Level Authorization (BOLA) vulnerabilities by building API call graphs to simulate attacker and owner contexts, then testing these contexts by sending real HTTP requests to your APIs.

    The scanner is now available via the Cloudflare API. To scan, set up your target environment, owner and attacker credentials, and upload your OpenAPI file with response schemas. The scanner will be available in the Cloudflare dashboard in a future release.

    Access: This feature is only available to API Shield subscribers via the Cloudflare API. We hope you will use the API for programmatic integration into your CI/CD pipelines and security dashboards.

    Documentation: Refer to the developer documentation to start scanning your endpoints today.

  1. Dismiss and filter matches in Brand Protection

    Security Center

    We have introduced new triage controls to help you manage your Brand Protection results more efficiently. You can now clear out the noise by dismissing matches while maintaining full visibility into your historical decisions.

    What's new

    • Dismiss matches: Users can now mark specific results as dismissed if they are determined to be benign or false positives, removing them from the primary triage view.
    • Show/Hide toggle: A new visibility control allows you to instantly switch between viewing only active matches and including previously dismissed ones.
    • Persistent review states: Dismissed status is saved across sessions, ensuring that your workspace remains organized and focused on new or high-priority threats.

    Key benefits of the dismiss match functionality:

    • Reduce alert fatigue by hiding known-safe results, allowing your team to focus exclusively on unreviewed or high-risk infringements.
    • Auditability and recovery through the visibility toggle, ensuring that no match is ever truly "lost" and can be re-evaluated if a site's content changes.
    • Improved collaboration as your team members can see which matches have already been vetted and dismissed by others.

    Ready to clean up your match queue? Learn more in our Brand Protection documentation.

  1. WAF Release - 2026-03-02

    WAF

    This week's release introduces new detections for vulnerabilities in SmarterTools SmarterMail (CVE-2025-52691 and CVE-2026-23760), alongside improvements to an existing Command Injection (nslookup) detection to enhance coverage.

    Key Findings

    • CVE-2025-52691: SmarterTools SmarterMail mail server is vulnerable to Arbitrary File Upload, allowing an unauthenticated attacker to upload files to any location on the mail server, potentially enabling remote code execution.
    • CVE-2026-23760: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API permitting unaunthenticated to reset system administrator accounts failing to verify existing password or reset token.

    Impact

    Successful exploitation of these SmarterMail vulnerabilities could lead to full system compromise or unauthorized administrative access to mail servers. Administrators are strongly encouraged to apply vendor patches without delay.

    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset N/ASmarterMail - Arbitrary File Upload - CVE-2025-52691LogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ASmarterMail - Authentication Bypass - CVE-2026-23760LogBlockThis is a new detection.
    Cloudflare Managed Ruleset N/ACommand Injection - Nslookup - BetaLogBlockThis rule is merged into the original rule "Command Injection - Nslookup" (ID: )

  1. Saved views for Threat Events

    Security Center

    TL;DR: You can now create and save custom configurations of the Threat Events dashboard, allowing you to instantly return to specific filtered views — such as industry-specific attacks or regional Sankey flows — without manual reconfiguration.

    Why this matters

    Threat intelligence is most effective when it is personalized. Previously, analysts had to manually re-apply complex filters (like combining specific industry datasets with geographic origins) every time they logged in. This update provides material value by:

    • Analysts can now jump straight into "Known Ransomware Infrastructure" or "Retail Sector Targets" views with a single click, eliminating repetitive setup tasks
    • Teams can ensure everyone is looking at the same data subsets by using standardized saved views, reducing the risk of missing critical patterns due to inconsistent filtering.

    Cloudforce One subscribers can start saving their custom views now in Application Security > Threat Intelligence > Threat Events.

  1. Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard

    Cloudflare Tunnel Cloudflare Tunnel for SASE

    Cloudflare Tunnel is now available in the main Cloudflare Dashboard at Networking > Tunnels, bringing first-class Tunnel management to developers using Tunnel for securing origin servers.

    Manage Tunnels in the Core Dashboard

    This new experience provides everything you need to manage Tunnels for public applications, including:

    Choose the right dashboard for your use case

    Core Dashboard: Navigate to Networking > Tunnels to manage Tunnels for:

    Cloudflare One Dashboard: Navigate to Zero Trust > Networks > Connectors to manage Tunnels for:

    Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow.

    Get started

    New to Tunnel? Learn how to get started with Cloudflare Tunnel or explore advanced use cases like securing SSH servers or running Tunnels in Kubernetes.

Search all changelog entries