Changelog
WAF and framework adapter mitigations for React and Next.js vulnerabilities
Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning issues across a range of severity levels.
We strongly recommend updating your application and its dependencies immediately. Patched versions are available for React (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack 19.0.6, 19.1.7, and 19.2.6) and Next.js (15.5.16 and 16.2.5).
Cloudflare WAF rules deployed in response to prior React Server Component CVEs (CVE-2025-55184 ↗ and CVE-2026-23864 ↗) already provide coverage for the newly disclosed denial-of-service vulnerabilities. These rules are enabled by default with a Block action for all customers using the Cloudflare Managed Ruleset, including Free plan customers using the Free Managed Ruleset.
| Ruleset | Rule description | Rule ID | Default action |
|---|---|---|---|
| Cloudflare Managed Ruleset | React - DoS - CVE-2025-55184 ↗ | 2694f1610c0b471393b21aef102ec699 | Block |
| Cloudflare Managed Ruleset | React - DoS - CVE-2026-23864 ↗ | aaede80b4d414dc89c443cea61680354 | Block |
The existing rules detect the underlying attack patterns generically. As a result, they apply to the new CVE-2026-23870 ↗ denial-of-service vulnerability in Server Components and the corresponding Next.js advisory GHSA-8h8q-6873-q5fj ↗.
Cloudflare is investigating whether WAF rules can be safely and effectively deployed for three of the high-severity advisories: CVE-2026-23870 ↗ / GHSA-8h8q-6873-q5fj ↗, GHSA-267c-6grr-h53f ↗, and GHSA-mg66-mrh9-m8jx ↗. If it is possible to create a managed WAF rule that mitigates these CVEs and does not potentially break application behavior, Cloudflare will add additional managed WAF rules. These rules will be announced through the WAF changelog. Because these vulnerabilities were shared with Cloudflare with minimal advance notice, we are still investigating what WAF mitigations are possible.
Several of the disclosed vulnerabilities are not possible to block in WAF. We strongly recommend updating your applications so they are not purely reliant on WAF mitigations.
Customers on Pro, Business, or Enterprise plans should ensure that Managed Rules are enabled.
Vinext: Vinext ↗ is a Vite plugin that reimplements the Next.js API surface. Vinext's latest release is not vulnerable to any of the disclosed CVEs. Vinext's architecture differs from stock Next.js in ways that sidestep the affected code paths. For example, it does not implement the PPR resume protocol, does not expose Pages Router data-route endpoints, and strips internal headers such as x-nextjs-data at request boundaries. As an extra layer of defense, we added a React 19.2.6 or later requirement when running vinext init (PR #1118 ↗, PR #1112 ↗) to prevent accidentally running a vulnerable version of React with Vinext.
OpenNext on Cloudflare: OpenNext is an adapter that lets you deploy Next.js apps to the Cloudflare Workers platform. OpenNext itself is not directly vulnerable to the React denial-of-service CVE, but users must update the Next.js version in their application. The OpenNext team has updated the adapter to further harden against these vectors and released a new version of the Cloudflare adapter. Test fixtures and examples have been updated to use patched versions (PR #1255 ↗).
| Advisory | Severity | Issue | WAF status |
|---|---|---|---|
CVE-2026-23870 ↗ / GHSA-8h8q-6873-q5fj ↗ | High | Denial of service in Server Components | WAF rules in place: 2694f1610c0b471393b21aef102ec699, aaede80b4d414dc89c443cea61680354Cloudflare is investigating additional managed WAF coverage |
GHSA-267c-6grr-h53f ↗ | High | Middleware bypass via segment-prefetch routes | Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule |
GHSA-mg66-mrh9-m8jx ↗ | High | Denial of service via connection exhaustion in Cache Components | Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule |
GHSA-492v-c6pp-mqqv ↗ | High | Middleware bypass via dynamic route parameter injection | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-c4j6-fc7j-m34r ↗ | High | SSRF via WebSocket upgrades | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-36qx-fr4f-26g5 ↗ | High | Middleware bypass in Pages Router i18n | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-ffhc-5mcf-pf4q ↗ | Moderate | XSS via CSP nonces | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-gx5p-jg67-6x7h ↗ | Moderate | XSS in beforeInteractive scripts | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-h64f-5h5j-jqjh ↗ | Moderate | Denial of service in Image Optimization API | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-wfc6-r584-vfw7 ↗ | Moderate | Cache poisoning in RSC responses | Custom WAF rule possible; global managed rule could potentially break application behavior |
GHSA-vfv6-92ff-j949 ↗ | Low | Cache poisoning via RSC cache-busting collisions | Not possible to safely enable a managed WAF rule without potentially breaking application behavior |
GHSA-3g8h-86w9-wvmq ↗ | Low | Middleware redirect cache poisoning | Custom WAF rule possible; global managed rule could potentially break application behavior |
WAF Release - 2026-05-07 - Emergency
This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575).
Key Findings
CVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes
Successful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries.
We strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Next.js - Middleware Bypass via Invalid RSC Header - CVE:CVE-2026-44575 | N/A | Disabled | This is a new detection. |
WAF Release - 2026-05-04
This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution, and XSS attack vectors.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
Continuous Rule Improvements
We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Object Tag - Body (beta) | Log | Block | This is a new detection. This rule is merged into the original rule
"XSS, HTML Injection - Object Tag" (ID:
| |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Object Tag - Headers | Log | Block | This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - Headers (beta)" is now renamed to "XSS, HTML Injection - Object Tag - Headers". | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Object Tag - URI | Log | Block | This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - URI (beta)" is now renamed to "XSS, HTML Injection - Object Tag - URI". | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - Body Vector - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Command Injection - Generic 9 - Body Vector" (ID:
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - Header Vector - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Command Injection - Generic 9 - Header Vector" (ID:
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - URI Vector - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Command Injection - Generic 9 - URI Vector" (ID:
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Sleep - Body | N/A | Disabled | This is a new detection. The rule previously known as "Command Injection
| |
| Cloudflare Managed Ruleset | N/A | Command Injection - Sleep - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Sleep - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Remote Code Execution - Common Bash Bypass - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Remote Code Execution - Common Bash Bypass - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Remote Code Execution - Common Bash Bypass - Body - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"Remote Code Execution - Common Bash Bypass Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | PHP Object Injection - 2 - Body - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"PHP Object Injection - 2" (ID:
| |
| Cloudflare Managed Ruleset | N/A | PHP Object Injection - 2 - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | PHP Object Injection - 2 - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - DROP - 2 - Beta | N/A | Disabled | This is a new detection. This rule is merged into the original rule
"SQLi - DROP - 2" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - DROP - 2 - Headers | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - DROP - 2 - URI | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SmarterMail - Remote Code Execution - CVE:CVE-2026-24423 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - SELECT Expression - Body | Block | Disabled | Action changed | |
| Cloudflare Managed Ruleset | N/A | SQLi - String Concatenation - URI | Block | Disabled | Action changed |
WAF Release - 2026-04-30 - Emergency
This emergency release introduces a new rule to block a cPanel & WHM Authentication Bypass related to CVE-2026-41940.
Key Findings
- CVE-2026-41940: A critical authentication bypass vulnerability in cPanel & WHM allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized administrative access to the web hosting control panel. This vulnerability affects the session validation logic, enabling attackers to craft malicious requests that circumvent normal authentication checks.
Impact
Successful exploitation allows unauthenticated attackers to gain administrative control over affected cPanel & WHM installations. This leads to complete server compromise, potential theft or manipulation of hosted data, and significant service disruption across managed environments.
We strongly recommend applying official vendor patches for cPanel & WHM immediately to address the underlying vulnerability.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | cPanel - Auth Bypass - CVE:CVE-2026-41940 | N/A | Block | This is a new detection. |
WAF Release - 2026-04-27
This week's release focuses on new improvements to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
Continuous Rule Improvements
We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | PostgreSQL - SQLi - COPY - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"PostgreSQL - SQLi - COPY - Body (ID:
| |
| Cloudflare Managed Ruleset | N/A | PostgreSQL - SQLi - COPY - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | PostgreSQL - SQLi - COPY - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR MAKE_SET/ELT - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - AND/OR MAKE_SET/ELT - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR MAKE_SET/ELT - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR MAKE_SET/ELT - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Common Patterns - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - Common Patterns - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - Common Patterns - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Common Patterns - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Equation - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - Equation - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - Equation - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Equation - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR Digit Operator Digit - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - AND/OR Digit Operator Digit - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR Digit Operator Digit - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR Digit Operator Digit - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Benchmark Function - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - Benchmark Function - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - Benchmark Function - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Benchmark Function - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Comparison - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - Comparison - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - Comparison - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Comparison - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - String Concatenation - Body - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - String Concatenation - Headers" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - String Concatenation - Headers | Log | Block | This is a new detection.(Former Id was
| |
| Cloudflare Managed Ruleset | N/A | SQLi - String Concatenation - URI | Log | Block | This is a new detection. (Former Id was
| |
| Cloudflare Managed Ruleset | N/A | SQLi - SELECT Expression - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - SELECT Expression - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - SELECT Expression - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - SELECT Expression - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - ORD and ASCII - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - ORD and ASCII- Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - ORD and ASCII - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - ORD and ASCII - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Destructive Operations | Log | Block | This is a new detection. |
WAF Release - 2026-04-21
This week's release introduces a new detection for a Remote Code Execution (RCE) vulnerability in Apache ActiveMQ (CVE-2026-34197) and an updated signature for Magento 2 - Unrestricted File Upload. Alongside these detections, we are continuing our work on rule refinements to provide deeper security insights for our customers.
Key Findings
-
Apache ActiveMQ (CVE-2026-34197): A vulnerability in Apache ActiveMQ allows an unauthenticated, remote attacker to execute arbitrary code. This flaw occurs during the processing of specially crafted network packets, leading to potential full system compromise.
-
Magento 2 - Unrestricted File Upload - 2: This is a follow-up enhancement to our existing protections for Magento and Adobe Commerce.
Impact
Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain full administrative control over affected servers. We strongly recommend applying official vendor patches for Apache ActiveMQ and Magento to address the underlying vulnerabilities.
Continuous Rule Improvements
We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 8 - uri | Log | Block | This is a new detection. Previous description was "Command Injection - Generic 8 - uri - Beta" | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 8 - body - Beta | Disabled | Disabled | This is a new detection. This rule is merged into the original rule
"Command Injection - Generic 8 - body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | MySQL - SQLi - Executable Comment - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"MySQL - SQLi - Executable Comment - Body" (ID:
| |
| Cloudflare Managed Ruleset | N/A | MySQL - SQLi - Executable Comment - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | MySQL - SQLi - Executable Comment - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Magento 2 - Unrestricted file upload - 2 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Apache ActiveMQ - Remote Code Execution - CVE:CVE-2026-34197 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Sleep Function - Beta | Log | Block | This is a new detection. This rule is merged into the original rule
"SQLi - Sleep Function" (ID:
| |
| Cloudflare Managed Ruleset | N/A | SQLi - Sleep Function - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Sleep Function - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Probing - uri | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Probing - header | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Probing - body | Disabled | Disabled | This is a new detection. This rule is merged into the original rule
"SQLi - Probing" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Probing 2 | Disabled | Disabled | This rule had duplicate detection logic and has been deprecated. | |
| Cloudflare Managed Ruleset | N/A | SQLi - UNION in MSSQL - Body | Disabled | Disabled | This rule has been renamed to differentiate from "SQLi - UNION in MSSQL" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - UNION - 3 | Disabled | Disabled | This rule had duplicate detection logic and has been deprecated. | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Embed Tag - URI | Disabled | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Embed Tag - Headers | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - IFrame Tag - Src and Srcdoc Attributes - Headers | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Link Tag - Headers | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Link Tag - URI | Disabled | Disabled | This is a new detection. |
WAF Release - 2026-04-15
This week's release introduces a new detection for a critical Remote Code Execution (RCE) vulnerability in Mesop (CVE-2026-33057), alongside protections for high-impact vulnerabilities in Cisco Secure Firewall Management Center (CVE-2026-20079) and FortiClient EMS (CVE-2026-21643). Additionally, this release includes an update to our existing React Server DoS coverage to address recently identified resource exhaustion vectors (CVE-2026-23869).
Key Findings
-
Cisco Secure FMC (CVE-2026-20079): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) that allows an unauthenticated, remote attacker to execute arbitrary commands or bypass security filters.
-
FortiClient EMS (CVE-2026-21643): A critical vulnerability in the FortiClient EMS permitting unauthorized access or administrative configuration manipulation via crafted HTTP requests.
-
Mesop (CVE-2026-33057): A vulnerability in the Mesop Python-based UI framework where unauthenticated attackers can execute arbitrary code by sending specially crafted, Base64-encoded payloads in the request body.
Impact
Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, gain administrative control over network management infrastructure, or trigger server-side resource exhaustion. Administrators are strongly encouraged to apply official vendor updates.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Cisco Secure FMC - RCE via upgradeReadinessCall - CVE:CVE-2026-20079 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | FortiClient EMS - Pre-Auth SQL Injection - CVE:CVE-2026-21643 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Mesop - Remote Code Execution - Base64 Payload - CVE:CVE-2026-33057 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | React Server - DOS - CVE:CVE-2026-23864 - 1 - Beta | Log | Block | This rule has been merged into the original rule "React Server - DOS - CVE:CVE-2026-23864 - 1" (ID: | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Link Tag - URI (beta) | N/A | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | XSS, HTML Injection - Embed Tag - URI (beta) | N/A | Disabled | This is a new detection. |
Email obfuscation decode script is now non-render-blocking
The decode script injected by Email Address Obfuscation now loads with the defer attribute. This means the script no longer blocks page rendering. It downloads in parallel with HTML parsing and executes after the document is fully parsed, before the DOMContentLoaded event.
This improves page loading performance, contributing to better Core Web Vitals, for all zones with Email Address Obfuscation on. No action is required.
If you have custom JavaScript that depends on email addresses being decoded at a specific point during page load, note that the decode script now executes after HTML parsing completes rather than inline during parsing.
WAF Release - 2026-04-07
This week's release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging "OnEvent" handlers within HTTP cookies.
Key Findings
-
MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution.
-
SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation.
-
XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values.
Impact
Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - 5 - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - 5 - Header | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - 5 - URI | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | MCP Server - Remote Code Execution - CVE:CVE-2026-23744 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | XSS - OnEvents - Cookies | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Evasion - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Evasion - Headers | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Evasion - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - LIKE 3 - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - LIKE 3 - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - UNION - 2 - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - UNION - 2 - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SolarWinds - Auth Bypass - CVE:CVE-2025-40552 | Log | Block | This is a new detection. |
WAF Release - 2026-03-30
This week's release introduces new detections for a critical authentication bypass vulnerability in Fortinet products (CVE-2025-59718), alongside three new generic detection rules designed to identify and block HTTP Parameter Pollution attempts. Additionally, this release includes targeted protection for a high-impact unrestricted file upload vulnerability in Magento and Adobe Commerce.
Key Findings
-
CVE-2025-59718: An improper cryptographic signature verification vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication using a maliciously crafted SAML message, if that feature is enabled on the device.
-
Magento 2 - Unrestricted File Upload: A critical flaw in Magento and Adobe Commerce allows unauthenticated attackers to bypass security checks and upload malicious files to the server, potentially leading to Remote Code Execution (RCE).
Impact
Successful exploitation of the Fortinet and Magento vulnerabilities could allow unauthenticated attackers to gain administrative control or deploy webshells, leading to complete server compromise and data theft.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Generic Rules - Parameter Pollution - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Parameter Pollution - Header - Form | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Parameter Pollution - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Magento 2 - Unrestricted file upload | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Fortinet FortiCloud SSO - Authentication Bypass - CVE:CVE-2025-59718 | Log | Block | This is a new detection. |
WAF Release - 2026-03-23
This week's release focuses on new improvements to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - URI Vector | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - Header Vector | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Generic 9 - Body Vector | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta) | Log | Block | This rule has been merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID: |
WAF Release - 2026-03-12 - Emergency
This week's release introduces new detections for vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340), alongside a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts within the Content-Security-Policy (CSP) HTTP request header.
Key Findings
- CVE-2026-1281 & CVE-2026-1340: Ivanti Endpoint Manager Mobile processes HTTP requests through Apache RevwriteMap directives that pass user-controlled input to Bash scripts (
/mi/bin/map-appstore-urland/mi/bin/map-aft-store-url). Bash scripts do not sanitize user input and are vulnerable to shell arithmetic expansion thereby allowing attackers to achieve unauthenticated remote code execution. - Generic XSS in CSP Header: This rule identifies malicious payloads embedded within the request's
Content-Security-Policyheader. It specifically targets scenarios where web frameworks or applications trust and extract values directly from the CSP header in the incoming request without sufficient validation. Attackers can provide crafted header values to inject scripts or malicious directives that are subsequently processed by the server.
Impact
Successful exploitation of Ivanti EPMM vulnerability allows unauthenticated remote code execution and generic XSS in CSP header allows attackers to inject malicious scripts during page rendering. In environments using server-side caching, this poisoned XSS content can subsequently be cached and automatically served to all visitors.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Ivanti EPMM - Code Injection - CVE:CVE-2026-1281 CVE:CVE-2026-1340 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Anomaly:Header:Content-Security-Policy | N/A | Block | This is a new detection. |
WAF Release - 2026-03-02
This week's release introduces new detections for vulnerabilities in SmarterTools SmarterMail (CVE-2025-52691 and CVE-2026-23760), alongside improvements to an existing Command Injection (nslookup) detection to enhance coverage.
Key Findings
- CVE-2025-52691: SmarterTools SmarterMail mail server is vulnerable to Arbitrary File Upload, allowing an unauthenticated attacker to upload files to any location on the mail server, potentially enabling remote code execution.
- CVE-2026-23760: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API permitting unaunthenticated to reset system administrator accounts failing to verify existing password or reset token.
Impact
Successful exploitation of these SmarterMail vulnerabilities could lead to full system compromise or unauthorized administrative access to mail servers. Administrators are strongly encouraged to apply vendor patches without delay.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | SmarterMail - Arbitrary File Upload - CVE-2025-52691 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SmarterMail - Authentication Bypass - CVE-2026-23760 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Command Injection - Nslookup - Beta | Log | Block | This rule is merged into the original rule "Command Injection - Nslookup" (ID: |
WAF Release - 2026-02-16
This week’s release introduces new detections for CVE-2025-68645 and CVE-2025-31125.
Key Findings
- CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 allows unauthenticated remote attackers to craft requests to the
/h/restendpoint, improperly influence internal dispatching, and include arbitrary files from the WebRoot directory. - CVE-2025-31125: Vite, the JavaScript frontend tooling framework, exposes content of non-allowed files via
?inline&importwhen its development server is network-exposed, enabling unauthorized attackers to read arbitrary files and potentially leak sensitive information.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Zimbra - Local File Inclusion - CVE:CVE-2025-68645 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Vite - WASM Import Path Traversal - CVE:CVE-2025-31125 | Log | Block | This is a new detection. |
WAF Release - 2026-02-10
This week’s release changes the rule action from BLOCK to Disabled for Anomaly:Header:User-Agent - Fake Google Bot.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Anomaly:Header:User-Agent - Fake Google Bot | Enabled | Disabled | We are changing the action for this rule from BLOCK to Disabled |
WAF Release - 2026-02-02
This week’s release introduces new detections for CVE-2025-64459 and CVE-2025-24893.
Key Findings
- CVE-2025-64459: Django versions prior to 5.1.14, 5.2.8, and 4.2.26 are vulnerable to SQL injection via crafted dictionaries passed to QuerySet methods and the
Q()class. - CVE-2025-24893: XWiki allows unauthenticated remote code execution through crafted requests to the SolrSearch endpoint, affecting the entire installation.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | XWiki - Remote Code Execution - CVE:CVE-2025-24893 2 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Django SQLI - CVE:CVE-2025-64459 | Log | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | NoSQL, MongoDB - SQLi - Comparison - 2 | Block | Block | Rule metadata description refined. Detection unchanged. |
WAF Release - 2026-01-26
This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗).
Key Findings
- CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗) affects
react-server-dom-parcel,react-server-dom-turbopack, andreact-server-dom-webpackpackages. - Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | React Server - DOS - CVE:CVE-2026-23864 - 1 | N/A | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | React Server - DOS - CVE:CVE-2026-23864 - 2 | N/A | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | React Server - DOS - CVE:CVE-2026-23864 - 3 | N/A | Block | This is a new detection. |
WAF Release - 2026-01-20
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL injection.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | SQLi - Comment - Beta | Log | Block | This rule is merged into the original rule "SQLi - Comment" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Comparison - Beta | Log | Block | This rule is merged into the original rule "SQLi - Comparison" (ID: |
WAF Release - 2026-01-15
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | SQLi - String Function - Beta | Log | Block | This rule is merged into the original rule "SQLi - String Function" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Sub Query - Beta | Log | Block | This rule is merged into the original rule "SQLi - Sub Query" (ID: |
WAF Release - 2026-01-12
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR MAKE_SET/ELT - Beta | Log | Block | This rule is merged into the original rule "SQLi - AND/OR MAKE_SET/ELT" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Benchmark Function - Beta | Log | Block | This rule is merged into the original rule "SQLi - Benchmark Function" (ID: |
WAF Release - 2025-12-18
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | Atlassian Confluence - Code Injection - CVE:CVE-2021-26084 - Beta | Log | Block | This rule is merged into the original rule "Atlassian Confluence - Code Injection - CVE:CVE-2021-26084" (ID: | |
| Cloudflare Managed Ruleset | N/A | PostgreSQL - SQLi - Copy - Beta | Log | Block | This rule is merged into the original rule "PostgreSQL - SQLi - COPY" (ID: | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - Body | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - Header | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic Rules - Command Execution - URI | Log | Disabled | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | SQLi - Tautology - URI - Beta | Log | Block | This rule is merged into the original rule "SQLi - Tautology - URI" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - WaitFor Function - Beta | Log | Block | This rule is merged into the original rule "SQLi - WaitFor Function" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - AND/OR Digit Operator Digit 2 - Beta | Log | Block | This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit" (ID: | |
| Cloudflare Managed Ruleset | N/A | SQLi - Equation 2 - Beta | Log | Block | This rule is merged into the original rule "SQLi - Equation" (ID: |
WAF Release - 2025-12-11 - Emergency
This emergency release introduces rules for CVE-2025-55183 and CVE-2025-55184, targeting server-side function exposure and resource-exhaustion patterns, respectively.
Key Findings
Added coverage for Leaking Server Functions (CVE-2025-55183) and React Function DoS detection (CVE-2025-55184).
Impact
These updates strengthen protection for server-function abuse techniques (CVE-2025-55183, CVE-2025-55184) that may expose internal logic or disrupt application availability.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | React - Leaking Server Functions - CVE:CVE-2025-55183 | N/A | Block | This was labeled as Generic - Server Function Source Code Exposure. | |
| Cloudflare Free Ruleset | N/A | React - Leaking Server Functions - CVE:CVE-2025-55183 | N/A | Block | This was labeled as Generic - Server Function Source Code Exposure. | |
| Cloudflare Managed Ruleset | N/A | React - DoS - CVE:CVE-2025-55184 | N/A | Disabled | This was labeled as Generic – Server Function Resource Exhaustion. |
WAF Release - 2025-12-10 - Emergency
This additional week's emergency release introduces improvements to our existing rule for React – Remote Code Execution – CVE-2025-55182 - 2, along with two new generic detections covering server-side function exposure and resource-exhaustion patterns.
Key Findings
Enhanced detection logic for React – RCE – CVE-2025-55182, added Generic – Server Function Source Code Exposure, and added Generic – Server Function Resource Exhaustion.
Impact
These updates strengthen protection against React RCE exploitation attempts and broaden coverage for common server-function abuse techniques that may expose internal logic or disrupt application availability.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | N/A | React - Remote Code Execution - CVE:CVE-2025-55182 - 2 | N/A | Block | This is an improved detection. | |
| Cloudflare Free Ruleset | N/A | React - Remote Code Execution - CVE:CVE-2025-55182 - 2 | N/A | Block | This is an improved detection. | |
| Cloudflare Managed Ruleset | N/A | Generic - Server Function Source Code Exposure | N/A | Block | This is a new detection. | |
| Cloudflare Free Ruleset | N/A | Generic - Server Function Source Code Exposure | N/A | Block | This is a new detection. | |
| Cloudflare Managed Ruleset | N/A | Generic - Server Function Resource Exhaustion | N/A | Disabled | This is a new detection. |
Increased WAF payload limit for all plans
Cloudflare WAF now inspects request-payload size of up to 1 MB across all plans to enhance our detection capabilities for React RCE (CVE-2025-55182).
Key Findings
React payloads commonly have a default maximum size of 1 MB. Cloudflare WAF previously inspected up to 128 KB on Enterprise plans, with even lower limits on other plans.
Update: We later reinstated the maximum request-payload size the Cloudflare WAF inspects. Refer to Updating the WAF maximum payload values for details.
Updating the WAF maximum payload values
We are reinstating the maximum request-payload size the Cloudflare WAF inspects, with WAF on Enterprise zones inspecting up to 128 KB.
Key Findings
On December 5, 2025, we initially attempted to increase the maximum WAF payload limit to 1 MB across all plans. However, an automatic rollout for all customers proved impractical because the increase led to a surge in false positives for existing managed rules.
This issue was particularly notable within the Cloudflare Managed Ruleset and the Cloudflare OWASP Core Ruleset, impacting customer traffic.
Impact
Customers on paid plans can increase the limit to 1 MB for any of their zones by contacting Cloudflare Support. Free zones are already protected up to 1 MB and do not require any action.