Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS View RSS feeds

Application security

Apr 15, 2026

1. WAF Release - 2026-04-15

   WAF

   This week's release introduces a new detection for a critical Remote Code Execution (RCE) vulnerability in Mesop (CVE-2026-33057), alongside protections for high-impact vulnerabilities in Cisco Secure Firewall Management Center (CVE-2026-20079) and FortiClient EMS (CVE-2026-21643). Additionally, this release includes an update to our existing React Server DoS coverage to address recently identified resource exhaustion vectors (CVE-2026-23869).

   Key Findings

   • Cisco Secure FMC (CVE-2026-20079): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) that allows an unauthenticated, remote attacker to execute arbitrary commands or bypass security filters.

   • FortiClient EMS (CVE-2026-21643): A critical vulnerability in the FortiClient EMS permitting unauthorized access or administrative configuration manipulation via crafted HTTP requests.

   • Mesop (CVE-2026-33057): A vulnerability in the Mesop Python-based UI framework where unauthenticated attackers can execute arbitrary code by sending specially crafted, Base64-encoded payloads in the request body.

   Impact

   Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, gain administrative control over network management infrastructure, or trigger server-side resource exhaustion. Administrators are strongly encouraged to apply official vendor updates.

   Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
   Cloudflare Managed Ruleset	...aef9415b	N/A	Cisco Secure FMC - RCE via upgradeReadinessCall - CVE:CVE-2026-20079	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...ee7be621	N/A	FortiClient EMS - Pre-Auth SQL Injection - CVE:CVE-2026-21643	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...c953a72b	N/A	Mesop - Remote Code Execution - Base64 Payload - CVE:CVE-2026-33057	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...50c08f6f	N/A	React Server - DOS - CVE:CVE-2026-23864 - 1 - Beta	Log	Block	This rule has been merged into the original rule "React Server - DOS - CVE:CVE-2026-23864 - 1" (ID: ...61680354 )
   Cloudflare Managed Ruleset	...ebd81645	N/A	XSS, HTML Injection - Link Tag - URI (beta)	N/A	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...0af34bba	N/A	XSS, HTML Injection - Embed Tag - URI (beta)	N/A	Disabled	This is a new detection.

Apr 15, 2026

1. WAF Release - Scheduled changes for 2026-04-20

   WAF

   Announcement Date	Release Date	Release Behavior	Legacy Rule ID	Rule ID	Description	Comments
   2026-04-15	2026-04-20	Log	N/A	...ee159e2e	Command Injection - Generic 8 - uri - Beta	This is a new detection.
   2026-04-15	2026-04-20	Disabled	N/A	...a15308cf	Command Injection - Generic 8 - body - Beta	This is a new detection. This rule will be merged into the original rule "Command Injection - Generic 8" (ID: ...413592e2 )
   2026-04-15	2026-04-20	Log	N/A	...958047ed	MySQL - SQLi - Executable Comment - Beta	This is a new detection. This rule will be merged into the original rule "MySQL - SQLi - Executable Comment" (ID: ...7bd2d8fa )
   2026-04-15	2026-04-20	Log	N/A	...582cc559	MySQL - SQLi - Executable Comment - Headers	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...		This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...a16639d3	MySQL - SQLi - Executable Comment - URI	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...44f24211	Magento 2 - Unrestricted file upload - 2	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...bf170a17	Apache ActiveMQ - Remote Code Execution - CVE:CVE-2026-34197	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...1dfa64df	SQLi - Probing - uri - Beta	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...4c62e2e7	SQLi - Probing - header - Beta	This is a new detection.
   2026-04-15	2026-04-20	Disabled	N/A	...aab28ea1	SQLi - Probing - body - Beta	This is a new detection. This rule will be merged into the original rule "SQLi - Probing" (ID: ...b4026c88 )
   2026-04-15	2026-04-20	Log	N/A	...8c2ac1a7	SQLi - Sleep Function - Beta	This is a new detection. This rule will be merged into the original rule "SQLi - Sleep Function" (ID: ...f77e8d54 )
   2026-04-15	2026-04-20	Log	N/A	...4dacaeb8	SQLi - Sleep Function - Headers	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...ed4c9ece	SQLi - Sleep Function - URI	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...70282f38	XSS, HTML Injection - Embed Tag - Headers (beta)	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...23f4d718	XSS, HTML Injection - IFrame Tag - Src and Srcdoc Attributes - Headers (beta)	This is a new detection.
   2026-04-15	2026-04-20	Log	N/A	...6978def1	XSS, HTML Injection - Link Tag - Headers (beta)	This is a new detection.

Apr 14, 2026

1. Email obfuscation decode script is now non-render-blocking

   WAF

   The decode script injected by Email Address Obfuscation now loads with the defer attribute. This means the script no longer blocks page rendering. It downloads in parallel with HTML parsing and executes after the document is fully parsed, before the DOMContentLoaded event.

   This improves page loading performance, contributing to better Core Web Vitals, for all zones with Email Address Obfuscation on. No action is required.

   If you have custom JavaScript that depends on email addresses being decoded at a specific point during page load, note that the decode script now executes after HTML parsing completes rather than inline during parsing.

Apr 08, 2026

1. Real-time alerts and daily digests for Threat Events

   Security Center

   You can now automate your threat monitoring by setting up custom alerts in your saved views. Instead of manually checking the dashboard for updates, you can subscribe to notifications that trigger whenever new data matches your specific filter sets, like new activity associated to a particular threat actor or spikes in activity within your industry.

   Stay ahead of emerging threats

   By linking your saved views to the Cloudflare Notifications Center, you can ensure the right information reaches your team at the right time.

   • Immediate Alerts: receive real-time notifications the moment a critical event is detected that matches your saved criteria. This is essential for high-priority monitoring, such as tracking active campaigns from specific APT groups.

   • Daily Digests: opt for a summarized report delivered once a day. This is ideal for maintaining situational awareness of broader trends, like regional activity shifts or industry-wide threat landscapes, without cluttering your inbox.

   

   How to get started

   To set up an alert, go to Application Security > Threat Intelligence > Threat Events. From there:

   1. Choose your datasets and apply your desired filters and select Save View (or select an existing one).
   2. Open the Manage Saved Views menu.
   3. Select Add Alert next to your chosen view to configure your notification preferences in the Cloudflare dashboard.

   For more technical details on configuring notifications, refer to the Threat Events documentation.

Apr 07, 2026

1. Manage mTLS and BYO CA certificates from the Cloudflare dashboard

   SSL/TLS

   You can now manage mutual TLS (mTLS) and Bring Your Own Certificate Authority (BYO CA) configurations directly from the Cloudflare dashboard — no API required.

   Previously, these advanced workflows required the Cloudflare API. The following are now available in the dashboard:

   • AOP certificate management — Upload and manage your own certificate authorities for Authenticated Origin Pulls (AOP) directly from the dashboard.
   • BYO Client mTLS certificate management — Upload and manage your own CA certificates for client mTLS enforcement without needing API access.
   • CDN hostname to client mTLS certificate mapping — Associate client mTLS certificates with specific hostnames directly from the dashboard.

Apr 07, 2026

1. WAF Release - 2026-04-07

   WAF

   This week's release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging "OnEvent" handlers within HTTP cookies.

   Key Findings

   • MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution.

   • SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation.

   • XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values.

   Impact

   Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts.

   Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
   Cloudflare Managed Ruleset	...0aa410af	N/A	Generic Rules - Command Execution - 5 - Body	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...9131ec2f	N/A	Generic Rules - Command Execution - 5 - Header	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...551eb9e5	N/A	Generic Rules - Command Execution - 5 - URI	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...d46229eb	N/A	MCP Server - Remote Code Execution - CVE:CVE-2026-23744	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...a864b9c2	N/A	XSS - OnEvents - Cookies	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...a78ad04e	N/A	SQLi - Evasion - Body	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...40732d48	N/A	SQLi - Evasion - Headers	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...e68a99b5	N/A	SQLi - Evasion - URI	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...3e8143d2	N/A	SQLi - LIKE 3 - Body	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...70e7fb97	N/A	SQLi - LIKE 3 - URI	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...4c538bd9	N/A	SQLi - UNION - 2 - Body	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...61c439c9	N/A	SQLi - UNION - 2 - URI	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...cf33ea10	N/A	SolarWinds - Auth Bypass - CVE:CVE-2025-40552	Log	Block	This is a new detection.

Apr 01, 2026

1. New QUIC RTT and delivery rate fields

   Rules

   Two new fields are now available in rule expressions that surface Layer 4 transport telemetry from the client connection. Together with the existing cf.timings.client_tcp_rtt_msec field, these fields give you a complete picture of connection quality for both TCP and QUIC traffic — enabling transport-aware rules without requiring any client-side changes.

   Previously, QUIC RTT and delivery rate data was only available via the Server-Timing: cfL4 response header. These new fields make the same data available directly in rule expressions, so you can use them in Transform Rules, WAF Custom Rules, and other phases that support dynamic fields.

   New fields

   Field	Type	Description
   cf.timings.client_quic_rtt_msec	Integer	The smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds. Only populated for QUIC (HTTP/3) connections. Returns 0 for TCP connections.
   cf.edge.l4.delivery_rate	Integer	The most recent data delivery rate estimate for the client connection, in bytes per second. Returns 0 when L4 statistics are not available for the request.

   Example: Route slow connections to a lightweight origin

   Use a request header transform rule to tag requests from high-latency connections, so your origin can serve a lighter page variant:

   Rule expression:

   cf.timings.client_tcp_rtt_msec > 200 or cf.timings.client_quic_rtt_msec > 200

   Header modifications:

   Operation	Header name	Value
   Set	X-High-Latency	true

   Example: Match low-bandwidth connections

   cf.edge.l4.delivery_rate > 0 and cf.edge.l4.delivery_rate < 100000

   For more information, refer to Request Header Transform Rules and the fields reference.

Mar 30, 2026

1. WAF Release - 2026-03-30

   WAF

   This week's release introduces new detections for a critical authentication bypass vulnerability in Fortinet products (CVE-2025-59718), alongside three new generic detection rules designed to identify and block HTTP Parameter Pollution attempts. Additionally, this release includes targeted protection for a high-impact unrestricted file upload vulnerability in Magento and Adobe Commerce.

   Key Findings

   • CVE-2025-59718: An improper cryptographic signature verification vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication using a maliciously crafted SAML message, if that feature is enabled on the device.

   • Magento 2 - Unrestricted File Upload: A critical flaw in Magento and Adobe Commerce allows unauthenticated attackers to bypass security checks and upload malicious files to the server, potentially leading to Remote Code Execution (RCE).

   Impact

   Successful exploitation of the Fortinet and Magento vulnerabilities could allow unauthenticated attackers to gain administrative control or deploy webshells, leading to complete server compromise and data theft.

   
   
   
   

   Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
   Cloudflare Managed Ruleset	...2f7f95e9	N/A	Generic Rules - Parameter Pollution - Body	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...319731a4	N/A	Generic Rules - Parameter Pollution - Header - Form	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...def262dd	N/A	Generic Rules - Parameter Pollution - URI	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...70a36147	N/A	Magento 2 - Unrestricted file upload	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...2ffcca9f	N/A	Fortinet FortiCloud SSO - Authentication Bypass - CVE:CVE-2025-59718	Log	Block	This is a new detection.

Mar 25, 2026

1. New mTLS certificate fields for Transform Rules

   Rules

   Cloudflare now exposes four new fields in the Transform Rules phase that encode client certificate data in RFC 9440 ↗ format. Previously, forwarding client certificate information to your origin required custom parsing of PEM-encoded fields or non-standard HTTP header formats. These new fields produce output in the standardized Client-Cert and Client-Cert-Chain header format defined by RFC 9440, so your origin can consume them directly without any additional decoding logic.

   Each certificate is DER-encoded, Base64-encoded, and wrapped in colons. For example, :MIIDsT...Vw==:. A chain of intermediates is expressed as a comma-separated list of such values.

   New fields

   Field	Type	Description
   cf.tls_client_auth.cert_rfc9440	String	The client leaf certificate in RFC 9440 format. Empty if no client certificate was presented.
   cf.tls_client_auth.cert_rfc9440_too_large	Boolean	true if the leaf certificate exceeded 10 KB and was omitted. In practice this will almost always be false.
   cf.tls_client_auth.cert_chain_rfc9440	String	The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediate certificates were sent or if the chain exceeded 16 KB.
   cf.tls_client_auth.cert_chain_rfc9440_too_large	Boolean	true if the intermediate chain exceeded 16 KB and was omitted.

   The chain encoding follows the same ordering as the TLS handshake: the certificate closest to the leaf appears first, working up toward the trust anchor. The root certificate is not included.

   Example: Forwarding client certificate headers to your origin server

   Add a request header transform rule to set the Client-Cert and Client-Cert-Chain headers on requests forwarded to your origin server. For example, to forward headers for verified, non-revoked certificates:

   Rule expression:

   cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked

   Header modifications:

   Operation	Header name	Value
   Set	Client-Cert	cf.tls_client_auth.cert_rfc9440
   Set	Client-Cert-Chain	cf.tls_client_auth.cert_chain_rfc9440

   To get the most out of these fields, upload your client CA certificate to Cloudflare so that Cloudflare validates the client certificate at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked.

   Prevent header injection

   You should ensure that Client-Cert and Client-Cert-Chain headers received by your origin server can only originate from this transform rule — any client could send these headers directly.

   • If you use WAF custom rules to block requests with invalid mTLS connections: The transform rule is sufficient. For all requests that reach your origin server, the rule will overwrite any existing Client-Cert and Client-Cert-Chain headers.
   • If you do not enforce mTLS at the WAF: Add another transform rule that removes any incoming Client-Cert and Client-Cert-Chain headers from all requests (use expression true), ordered before the rule above. This ensures your origin server cannot receive client-supplied values for these HTTP headers.

   For more information, refer to Mutual TLS authentication, Request Header Transform Rules, and the fields reference.

Mar 23, 2026

1. Web Assets fields now available in GraphQL Analytics API

   API Shield

   Two new fields are now available in the httpRequestsAdaptive and httpRequestsAdaptiveGroups GraphQL Analytics API datasets:

   • webAssetsOperationId — the ID of the saved endpoint that matched the incoming request.
   • webAssetsLabelsManaged — the managed labels mapped to the matched operation at the time of the request (for example, cf-llm, cf-log-in). At most 10 labels are returned per request.

   Both fields are empty when no operation matched. webAssetsLabelsManaged is also empty when no managed labels are assigned to the matched operation.

   These fields allow you to determine, per request, which Web Assets operation was matched and which managed labels were active. This is useful for troubleshooting downstream security detection verdicts — for example, understanding why AI Security for Apps did or did not flag a request.

   Refer to Endpoint labeling service for GraphQL query examples.

Mar 23, 2026

1. WAF Release - 2026-03-23

   WAF

   This week's release focuses on new improvements to enhance coverage.

   Key Findings

   • Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
   
   
   
   

   Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
   Cloudflare Managed Ruleset	...97321c6c	N/A	Command Injection - Generic 9 - URI Vector	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...1eb7a999	N/A	Command Injection - Generic 9 - Header Vector	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...0677175f	N/A	Command Injection - Generic 9 - Body Vector	Log	Disabled	This is a new detection.
   Cloudflare Managed Ruleset	...479da68f	N/A	PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta)	Log	Block	This rule has been merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID: ...824b817c )

Mar 20, 2026

1. Stream logs from multiple replicas of Cloudflare Tunnel simultaneously

   Cloudflare Tunnel Cloudflare Tunnel for SASE

   In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

   

   Previously, you could only stream logs from one replica at a time. With this update:

   • Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.
   • Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One ↗ and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

   For more information, refer to Tunnel log streams and Deploy replicas.

Mar 19, 2026

1. Manage Cloudflare Tunnels with Wrangler

   Cloudflare Tunnel Workers

   You can now manage Cloudflare Tunnels directly from Wrangler, the CLI for the Cloudflare Developer Platform. The new wrangler tunnel commands let you create, run, and manage tunnels without leaving your terminal.

   

   Available commands:

   • wrangler tunnel create — Create a new remotely managed tunnel.
   • wrangler tunnel list — List all tunnels in your account.
   • wrangler tunnel info — Display details about a specific tunnel.
   • wrangler tunnel delete — Delete a tunnel.
   • wrangler tunnel run — Run a tunnel using the cloudflared daemon.
   • wrangler tunnel quick-start — Start a free, temporary tunnel without an account using Quick Tunnels.

   Wrangler handles downloading and managing the cloudflared binary automatically. On first use, you will be prompted to download cloudflared to a local cache directory.

   These commands are currently experimental and may change without notice.

   To get started, refer to the Wrangler tunnel commands documentation.

Mar 18, 2026

1. Worker execution timing field now available in Rules

   Rules

   The cf.timings.worker_msec field is now available in the Ruleset Engine. This field reports the wall-clock time that a Cloudflare Worker spent handling a request, measured in milliseconds.

   You can use this field to identify slow Worker executions, detect performance regressions, or build rules that respond differently based on Worker processing time, such as logging requests that exceed a latency threshold.

   Field details

   Field	Type	Description
   cf.timings.worker_msec	Integer	The time spent executing a Cloudflare Worker in milliseconds. Returns 0 if no Worker was invoked.

   Example filter expression:

   cf.timings.worker_msec > 500

   For more information, refer to the Fields reference.

Mar 18, 2026

1. Real-time logo match preview

   Security Center

   We are introducing Logo Match Preview, bringing the same pre-save visibility to visual assets that was previously only available for string-based queries. This update allows you to fine-tune your brand detection strategy before committing to a live monitor.

   What’s new:

   • Upload your brand logo and immediately see a sample of potential matches from recently detected sites before finalizing the query
   • Adjust your similarity score (from 75% to 100%) and watch the results refresh in real-time to find the balance between broad detection and noise reduction
   • Review the specific logos triggered by your current settings to ensure your query is capturing the right level of brand infringement

   If you are ready to test your brand assets, go to the Brand Protection dashboard ↗ to try the new preview tool.

Mar 17, 2026

1. New Security Overview UI

   Security Overview

   The Security Overview has been updated to provide Application Security customers with more actionable insights and a clearer view of their security posture.

   Key improvements include:

   • Criticality for all Insights: Every insight now includes a criticality rating, allowing you to prioritize the most impactful security action items first.
   • Detection Tools Section: A new section displays the security detection tools available to you, indicating which are currently enabled and which can be activated to strengthen your defenses.
   • Industry Peer Comparison (Enterprise customers): A new module from Security Reports benchmarks your security posture against industry peers, highlighting relative strengths and areas for improvement.
   

   For more information, refer to Security Overview.

Mar 12, 2026

1. WAF Release - 2026-03-12 - Emergency

   WAF

   This week's release introduces new detections for vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340), alongside a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts within the Content-Security-Policy (CSP) HTTP request header.

   Key Findings

   • CVE-2026-1281 & CVE-2026-1340: Ivanti Endpoint Manager Mobile processes HTTP requests through Apache RevwriteMap directives that pass user-controlled input to Bash scripts (/mi/bin/map-appstore-url and /mi/bin/map-aft-store-url). Bash scripts do not sanitize user input and are vulnerable to shell arithmetic expansion thereby allowing attackers to achieve unauthenticated remote code execution.
   • Generic XSS in CSP Header: This rule identifies malicious payloads embedded within the request's Content-Security-Policy header. It specifically targets scenarios where web frameworks or applications trust and extract values directly from the CSP header in the incoming request without sufficient validation. Attackers can provide crafted header values to inject scripts or malicious directives that are subsequently processed by the server.

   Impact

   Successful exploitation of Ivanti EPMM vulnerability allows unauthenticated remote code execution and generic XSS in CSP header allows attackers to inject malicious scripts during page rendering. In environments using server-side caching, this poisoned XSS content can subsequently be cached and automatically served to all visitors.

   Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
   Cloudflare Managed Ruleset	...796ea2f6	N/A	Ivanti EPMM - Code Injection - CVE:CVE-2026-1281 CVE:CVE-2026-1340	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...ee964a8c	N/A	Anomaly:Header:Content-Security-Policy	N/A	Block	This is a new detection.

Mar 09, 2026

1. New Vulnerability Scanner for API Shield

   API Shield

   Introducing Cloudflare's Web and API Vulnerability Scanner (Open Beta)

   Cloudflare is launching the Open Beta of the Web and API Vulnerability Scanner ↗ for all API Shield customers. This new, stateful Dynamic Application Security Testing (DAST) platform helps teams proactively find logic flaws in their APIs.

   The initial release focuses on detecting Broken Object Level Authorization (BOLA) vulnerabilities by building API call graphs to simulate attacker and owner contexts, then testing these contexts by sending real HTTP requests to your APIs.

   The scanner is now available via the Cloudflare API. To scan, set up your target environment, owner and attacker credentials, and upload your OpenAPI file with response schemas. The scanner will be available in the Cloudflare dashboard in a future release.

   Access: This feature is only available to API Shield subscribers via the Cloudflare API. We hope you will use the API for programmatic integration into your CI/CD pipelines and security dashboards.

   Documentation: Refer to the developer documentation to start scanning your endpoints today.

Mar 06, 2026

1. Dismiss and filter matches in Brand Protection

   Security Center

   We have introduced new triage controls to help you manage your Brand Protection results more efficiently. You can now clear out the noise by dismissing matches while maintaining full visibility into your historical decisions.

   What's new

   • Dismiss matches: Users can now mark specific results as dismissed if they are determined to be benign or false positives, removing them from the primary triage view.
   • Show/Hide toggle: A new visibility control allows you to instantly switch between viewing only active matches and including previously dismissed ones.
   • Persistent review states: Dismissed status is saved across sessions, ensuring that your workspace remains organized and focused on new or high-priority threats.

   Key benefits of the dismiss match functionality:

   • Reduce alert fatigue by hiding known-safe results, allowing your team to focus exclusively on unreviewed or high-risk infringements.
   • Auditability and recovery through the visibility toggle, ensuring that no match is ever truly "lost" and can be re-evaluated if a site's content changes.
   • Improved collaboration as your team members can see which matches have already been vetted and dismissed by others.

   Ready to clean up your match queue? Learn more in our Brand Protection documentation.

Mar 02, 2026

1. WAF Release - 2026-03-02

   WAF

   This week's release introduces new detections for vulnerabilities in SmarterTools SmarterMail (CVE-2025-52691 and CVE-2026-23760), alongside improvements to an existing Command Injection (nslookup) detection to enhance coverage.

   Key Findings

   • CVE-2025-52691: SmarterTools SmarterMail mail server is vulnerable to Arbitrary File Upload, allowing an unauthenticated attacker to upload files to any location on the mail server, potentially enabling remote code execution.
   • CVE-2026-23760: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API permitting unaunthenticated to reset system administrator accounts failing to verify existing password or reset token.

   Impact

   Successful exploitation of these SmarterMail vulnerabilities could lead to full system compromise or unauthorized administrative access to mail servers. Administrators are strongly encouraged to apply vendor patches without delay.

   Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
   Cloudflare Managed Ruleset	...966ec6b1	N/A	SmarterMail - Arbitrary File Upload - CVE-2025-52691	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...ee964a8c	N/A	SmarterMail - Authentication Bypass - CVE-2026-23760	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...75b64d99	N/A	Command Injection - Nslookup - Beta	Log	Block	This rule is merged into the original rule "Command Injection - Nslookup" (ID: ...b090ba9a )

Feb 23, 2026

1. Saved views for Threat Events

   Security Center

   TL;DR: You can now create and save custom configurations of the Threat Events dashboard, allowing you to instantly return to specific filtered views — such as industry-specific attacks or regional Sankey flows — without manual reconfiguration.

   Why this matters

   Threat intelligence is most effective when it is personalized. Previously, analysts had to manually re-apply complex filters (like combining specific industry datasets with geographic origins) every time they logged in. This update provides material value by:

   • Analysts can now jump straight into "Known Ransomware Infrastructure" or "Retail Sector Targets" views with a single click, eliminating repetitive setup tasks
   • Teams can ensure everyone is looking at the same data subsets by using standardized saved views, reducing the risk of missing critical patterns due to inconsistent filtering.

   Cloudforce One subscribers can start saving their custom views now in Application Security > Threat Intelligence > Threat Events ↗.

Feb 20, 2026

1. Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard

   Cloudflare Tunnel Cloudflare Tunnel for SASE

   Cloudflare Tunnel is now available in the main Cloudflare Dashboard at Networking > Tunnels ↗, bringing first-class Tunnel management to developers using Tunnel for securing origin servers.

   

   This new experience provides everything you need to manage Tunnels for public applications, including:

   • Full Tunnel lifecycle management: Create, configure, delete, and monitor all your Tunnels in one place.
   • Native integrations: View Tunnels by name when configuring DNS records and Workers VPC — no more copy-pasting UUIDs.
   • Real-time visibility: Monitor replicas and Tunnel health status directly in the dashboard.
   • Routing map: Manage all ingress routes for your Tunnel, including public applications, private hostnames, private CIDRs, and Workers VPC services, from a single interactive interface.

   Choose the right dashboard for your use case

   Core Dashboard: Navigate to Networking > Tunnels ↗ to manage Tunnels for:

   • Securing origin servers and public applications with CDN, WAF, Load Balancing, and DDoS protection
   • Connecting Workers to private services via Workers VPC

   Cloudflare One Dashboard: Navigate to Zero Trust > Networks > Connectors ↗ to manage Tunnels for:

   • Securing your public applications with Zero Trust access policies
   • Connecting users to private applications
   • Building a private mesh network

   Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow.

   Get started

   New to Tunnel? Learn how to get started with Cloudflare Tunnel or explore advanced use cases like securing SSH servers or running Tunnels in Kubernetes.

Feb 19, 2026

1. Cloudforce One Threat events graphs are now visible in the dashboard

   Security Center

   We have introduced dynamic visualizations to the Threat Events dashboard to help you better understand the threat landscape and identify emerging patterns at a glance.

   What's new:

   • Sankey Diagrams: Trace the flow of attacks from country of origin to target country to identify which regions are being hit hardest and where the threat infrastructure resides.
   
   • Dataset Distribution over time: Instantly pivot your view to understand if a specific campaign is targeting your sector or if it is a broad-spectrum commodity attack.
   
   • Enhanced Filtering: Use these visual tools to filter and drill down into specific attack vectors directly from the charts.

   Cloudforce One subscribers can explore these new views now in Application Security > Threat Intelligence > Threat Events ↗.

Feb 16, 2026

1. WAF Release - 2026-02-16

   WAF

   This week’s release introduces new detections for CVE-2025-68645 and CVE-2025-31125.

   Key Findings

   • CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 allows unauthenticated remote attackers to craft requests to the /h/rest endpoint, improperly influence internal dispatching, and include arbitrary files from the WebRoot directory.
   • CVE-2025-31125: Vite, the JavaScript frontend tooling framework, exposes content of non-allowed files via ?inline&import when its development server is network-exposed, enabling unauthorized attackers to read arbitrary files and potentially leak sensitive information.

   Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
   Cloudflare Managed Ruleset	...833761f7	N/A	Zimbra - Local File Inclusion - CVE:CVE-2025-68645	Log	Block	This is a new detection.
   Cloudflare Managed Ruleset	...950ed8c8	N/A	Vite - WASM Import Path Traversal - CVE:CVE-2025-31125	Log	Block	This is a new detection.

Feb 12, 2026

1. Enhanced Logo Matching for Brand Protection

   Security Center

   We have significantly upgraded our Logo Matching capabilities within Brand Protection. While previously limited to approximately 100% matches, users can now detect a wider range of brand assets through a redesigned matching model and UI.

   What's new

   • Configurable match thresholds: Users can set a minimum match score (starting at 75%) when creating a logo query to capture subtle variations or high-quality impersonations.
   • Visual match scores: Allow users to see the exact percentage of the match directly in the results table, highlighted with color-coded lozenges to indicate severity.
   • Direct logo previews: Available in the Cloudflare dashboard — similar to string matches — to verify infringements at a glance.

   Key benefits

   • Expose sophisticated impersonators who use slightly altered logos to bypass basic detection filters.
   • Faster triage of the most relevant threats immediately using visual indicators, reducing the time spent manually reviewing matches.

   Ready to protect your visual identity? Learn more in our Brand Protection documentation.

← Prev

12 … 6

Next →

Search all changelog entries