--- name: Application Security Changelog slug: cloudflare-application-security type: feed source_url: https://developers.cloudflare.com/changelog/?area=application-security organization: Cloudflare organization_slug: cloudflare total_releases: 134 latest_date: 2026-06-15 last_updated: 2026-06-19 tracking_since: 2025-01-06 canonical: https://releases.sh/cloudflare/cloudflare-application-security organization_url: https://releases.sh/cloudflare --- ## WAF - WAF Release - Scheduled changes for 2026-06-22 Announcement Date Release Date Release Behavior Legacy Rule ID Rule ID Description Comments 2026-06-15 2026-06-22 Log N/A 500a90789f874345b60b0de7242fdf83 Ivanti Sentry - Command Injection - CVE:CVE-2026-10520 This is a new detection. ## WAF - WAF Release - 2026-06-15 This week's release introduces new managed protection to address a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. These rules protect affected installations from unauthorized data exfiltration at the network edge. **Key Findings** - CVE-2026-26980: A blind SQL injection vulnerability in the Ghost CMS Content API (versions 3.24.0 to 6.19.0) allows unauthenticated remote attackers to inject malicious SQL commands via query parameters due to improper input validation. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 439c4ef64b32447989bdf412b4c29bc6 N/A Ghost CMS - SQLi - CVE:CVE-2026-26980 Log Block This is a new detection. Cloudflare Managed Ruleset 6c64b68ef5ed45e7a622cdaab56f403f N/A SQLi - Obfuscated Boolean - URI Log Disabled This is a new detection. ## WAF - Use Cloudforce One threat intelligence in WAF rules You can now match incoming requests against Cloudforce One threat intelligence in your WAF rules. A new detection looks up the client IP address of each request against the threat intelligence database. If the IP was involved in threat activity in the past seven days, Cloudflare populates `cf.intel.ip.*` fields that you can use in [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/). The detection populates the following fields. Use the [`any()`](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/#any) function with the `[*]` wildcard to match array values: - `cf.intel.ip.datasets` — the dataset that flagged the IP address (`ddos` or `waf`). - `cf.intel.ip.target_industries` — industries the IP address has targeted. - `cf.intel.ip.attacker_names` — known threat actors associated with the IP address. - `cf.intel.ip.attacker_countries` — source countries of the threat activity. - `cf.intel.ip.target_countries` — countries the IP address has targeted. For example, the following custom rule expression blocks requests from IP addresses associated with DDoS activity that have targeted France: ```txt
any(cf.intel.ip.target_countries[*] == "FR") and any(cf.intel.ip.datasets[*] == "ddos")
``` These fields work with the Cloudflare API and Terraform. Matches are logged in [Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/). The threat intelligence detection is available to customers with an active [Cloudforce One](https://developers.cloudflare.com/security-center/cloudforce-one/) subscription. For more information, refer to [Threat intelligence](https://developers.cloudflare.com/waf/detections/threat-intelligence/). ## Security Center - Automated Cease and Desist templates for Brand Protection **TL;DR:** Brand Protection now features an **Automated Cease & Desist (C&D)** workflow. When you discover an infringing domain hosted outside of Cloudflare, you can instantly generate, review, and download a custom-branded, pre-filled legal notice in seconds. #### Why this matters This update introduces a major shift from pure detection to actionable enforcement, eliminating the manual burden for your Trust & Safety and Legal teams: - **Instant WHOIS and Recipient Lookup:** We automatically scrape registrar data and WHOIS contact information (such as the registrant or registrar abuse email) behind the scenes, highlighting exactly where your notice needs to be sent - **Smart Template Automation:** We pre-fill your custom-branded templates with essential metadata, including the infringing domain, registrar name, and discovery date. - **Tailored Enforcement Tones:** Choose from three default layout strategies depending on the severity of the infrastructure match: - *Exact Match:* A formal demand for identical trademark infringements - *Similar Match:* A standard notice optimized for typosquatting (one-character distance matches) - *Friendly Tone:* An amicable initial outreach for potential unintentional or accidental infringements - **Full Editing Control:** Before creating the final PDF, a real-time review screen allows you to fine-tune the messaging, modify placeholders, and ensure your text aligns perfectly with internal legal standards #### How it works When reviewing a malicious domain match inside your dashboard, your enforcement path splits depending on where the attacker is located: 1. **On the Cloudflare Network:** If the domain uses Cloudflare’s network or registrar, trigger our existing integrated abuse reporting flow with one click. 2. **Hosted Elsewhere:** If the domain is hosted on an external provider, click the **Generate C&D Letter** option to launch the new document builder, pick your template, verify the auto-populated recipient data, and download your finalized PDF. You can manage your templates and enforce matches by going to the **Cloudflare Dashboard > Application Security > Brand Protection** and selecting your detected Brand Protection matches. For more information, read the [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/). > **Note:** Cloudflare does not represent you and cannot provide you with legal advice. Only you can decide whether your rights have been infringed, whether a cease and desist letter is appropriate, and what that letter should say. ## WAF - WAF Release - 2026-06-09 This release introduces new detections for a critical SQL injection vulnerability in Drupal installations utilizing PostgreSQL (CVE-2026-9082), alongside targeted protection for an unsafe deserialization flaw in the Mirasvit Cache Warmer extension (CVE-2026-45247). Additionally, this release includes coverage for a prototype pollution vector in Axios (CVE-2026-40175) and a new generic rule designed to identify and block sophisticated SQL Injection (SQLi) bypass attempts leveraging obfuscated boolean logic. **Key Findings** - CVE-2026-9082: A database abstraction vulnerability affects Drupal sites configured with a PostgreSQL backend. Remote, unauthenticated attackers can exploit this flaw via crafted inputs to inject malicious SQL commands and access or manipulate backend data. - CVE-2026-45247: A PHP Object Injection vulnerability exists in the Mirasvit Cache Warmer extension for Magento and Adobe Commerce. This flaw stems from unsafe deserialization of untrusted user input, enabling unauthenticated attackers to execute arbitrary code on the hosting server. - CVE-2026-40175: A prototype pollution vulnerability affects the Axios HTTP client library. Attackers can exploit this to inject malicious properties into the global JavaScript object prototype, potentially causing application crashes (Denial of Service) or executing unauthorized code depending on the application structure. **Impact** Successful exploitation of these vulnerabilities could allow unauthenticated attackers to execute arbitrary code, manipulate database contents, or induce application crashes, leading to severe operational disruption or complete server compromise. These newly deployed signatures intercept these advanced malicious payloads at the edge before they can interact with vulnerable software configurations. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset b4f88cb767874def810edd0b387cf935 N/A Axios - Prototype Pollution - CVE:CVE-2026-40175 Log Block This is a new detection. Cloudflare Managed Ruleset 098997bb8b5f48abb4039bd6417eb9e0 N/A Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - Body Log Block This is a new detection. Cloudflare Managed Ruleset 8a7650b99ec04a91a19b8295fd3857fd N/A Drupal - PostgreSQL SQLi - CVE:CVE-2026-9082 - URI Log Block This is a new detection. Cloudflare Managed Ruleset 525c0871787840e6a6193f6caee241d2 N/A SQLi - Obfuscated Boolean - Body N/A Disabled This is a new detection. Cloudflare Managed Ruleset 1ec4aeaf7900463397b82b35d8620070 N/A SQLi - Obfuscated Boolean - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset fb74766654c44ff2a5204dc4e0be4d47 N/A Mirasvit Cache Warmer - PHP Object Injection - CVE:CVE-2026-45247 N/A Block This is a new detection. ## Security Center - Create WAF rules directly from Threat Events saved views Cloudforce One users can now turn [Threat Events indicators](https://developers.cloudflare.com/security-center/cloudforce-one/#analyze-threat-events) into active defense. With this update, users can instantly generate a WAF rule that matches the dynamic list of IP addresses returned by any of their **Saved Views**. #### Why this matters Threat intelligence is most effective when it is immediately actionable. Previously, blocking threat actors required manually extracting indicators from threat events and copying them into your firewall rules. This new integration bridges the gap between threat discovery and threat mitigation: - When you identify an active threat pattern - such as an ongoing campaign targeting a specific industry, or using a known indicator type - you can pivot from investigation to mitigation in a single click. - Instead of writing complex, static IP rules, this functionality allows you to leverage the specific filtering logic you have already defined and saved within your Threat Events ecosystem. - Automating the generation of the WAF rule expression from your threat views eliminates manual copying errors, ensuring that the right malicious infrastructure is blocked instantly. #### How to use it You can implement these rules through both the dashboard UI and via the API / Terraform. Go to **Cloudflare Dashboard** > **Application Security** > **Threat Intelligence** > **Manage Views**, select your desired view, and select **Create WAF Rule**. This will automatically pre-populate the [WAF rule builder](https://developers.cloudflare.com/firewall/cf-dashboard/create-edit-delete-rules/) with the matching threat event IP indicators. You can also automate this workflow by utilizing the [**WAF Rule Builder API**](https://developers.cloudflare.com/firewall/api/cf-firewall-rules/) alongside your [Threat Events saved views endpoints](https://developers.cloudflare.com/firewall/api/cf-firewall-rules/). ## Security Center - Introducing Threat Actor Profiles in Threat Events **TL;DR:** We’ve launched **Threat Actor Profiles** directly inside the Threat Events dashboard. You can now immediately pivot from a generic alert or blocked event to a profile that unmasks the "Who, Why, and How" behind a threat event. #### Why this matters Security teams often suffer from a visibility gap. When an attack is blocked, it's difficult to know if it was a random automated bot or a sophisticated advanced persistent threat (APT) campaign specifically targeting your industry. Finding out usually means leaving your security dashboard to hunt through external OSINT feeds or static, out-of-date threat reports. Threat Actor Profiles solve this by sharing Cloudforce One’s deep adversary research directly inside your workflow: - Cloudflare sees the traffic in real-time across approximately 20% of the web. This means actor profiles display active malicious infrastructure the moment it touches our global edge. - Every profile provides clear strategic and tactical modules including alternative aliases, origin tracking, historical threat event volume, and MITRE ATT&CK mapping detailing the adversary's technical methods. - You can search the dedicated threat actor directory or click an actor's name inside any threat event to view all details and related events to the specific threat actor. #### How to use it Adversary tracking is now available in the Cloudflare Dashbboard and ready to be included in your daily investigation workflow: - Click on the **Threat Actor** name in the Threat Events table to open their full identity profile and review their aliases and attack stats. - Navigate to **Cloudflare Dashboard > Application Security > Threat Intelligence** to explore the new **Threat Actors** tab. Here, you can browse a card-based directory of all established entities tracked by Cloudforce One. Learn more in the [Cloudforce One documentation](https://developers.cloudflare.com/security-center/cloudforce-one/#identify-the-adversary). ## Security Center - Security scans more frequent Security Insights scans now run more often. Cloudflare scans Free accounts **every 7 days**, Pro and Business accounts **every 3 days**, and Enterprise accounts **daily**. In addition, all accounts and zones now receive scans by default. You no longer need to enable scans before Cloudflare checks your account for misconfigurations, vulnerabilities, and other security risks. Granular on-demand scans are now available on any plan. You can trigger an on-demand scan for any zone, insight, insight type from the Cloudflare dashboard in order to quickly re-check your security posture after remediating an issue. To learn more, refer to the [Security Insights documentation](https://developers.cloudflare.com/security/security-insights/). ## WAF - WAF Release - 2026-05-20 ## WAF Release - 2026-05-20 May 20, 2026 **Key Findings** * Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage. **Continuous Rule Improvements** We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed. | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ---------------------------------------------------- | --------------- | ---------- | ----------------------------------------------------------------------------------------------------------------- | | Cloudflare Managed Ruleset | ...9e9c068d | N/A | Sitecore - Cache Poisoning - CVE:CVE-2025-53693 Beta | N/A | Block | This rule is merged into the original rule "Sitecore - Cache Poisoning - CVE:CVE-2025-53693" (ID: ...7c5b669c ). | ## WAF - WAF Release - 2026-05-15 - Emergency This emergency release introduces two new rules to detect nginx heap buffer overflow and heap spray exploitation attempts targeting the rewrite module's `is_args` stale-state bug (CVE-2026-42945). **Key Findings** CVE-2026-42945: nginx Heap Buffer Overflow via Stale `is_args` in Rewrite Module Successful exploitation allows remote attackers to trigger a heap buffer overflow in nginx's rewrite module by sending crafted URIs containing escapable characters. A length/copy pass mismatch in `ngx_http_script_copy_capture_code()` causes the copy pass to write escaped data into an undersized buffer, leading to heap corruption. This enables denial of service (worker process crash) and, with heap feng shui techniques, potential remote code execution. We strongly recommend upgrading to nginx 1.30.1 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, avoid `rewrite` directives with `?` in the replacement string followed by `set` or `if` referencing capture groups. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 2013e3e58efe4b79a26e214f7e52be73 N/A nginx - Remote Code Execution - Buffer Overread - CVE:CVE-2026-42945 N/A Block This is a new detection. Cloudflare Managed Ruleset 68226e83a4d14ee9a9c878469df0ee6c N/A nginx - Remote Code Execution - Heap Spray - CVE:CVE-2026-42945 N/A Block This is a new detection. ## Security Center - Agent Readiness scores now available in URL Scanner via the Cloudflare Dashboard We’ve added a new **Agent Readiness** tab to URL Scanner reports accessible via the Cloudflare dashboard. This feature evaluates your site against emerging AI standards and provides six specialized scores to help you optimize for the next generation of AI agents and automated discovery. The Internet is shifting from a human-read web to a machine-read web. AI agents now browse, interact with, and even perform transactions on websites. If a site isn't "agent-ready," these bots may consume excessive bandwidth, fail to find critical information, or be unable to navigate your services efficiently. This update provides material value by breaking down readiness into six actionable categories: - **Basic Web Presence** - **Discoverability** - **Content Accessibility** - **Bot Access Control** - **Protocol Discovery** - **Commerce** #### Accessing the report You can view these scores for any scanned URL directly in the dashboard or via our API. - **Dashboard:** Go to **Protect & Connect > Application Security > Investigate**. After running a scan, select the **Agent Readiness** tab in the report. - **API:** Use the [URL Scanner API](https://developers.cloudflare.com/radar/investigate/url-scanner/) to programmatically retrieve these scores for your infrastructure. To learn more about the methodology behind these scores, refer to the [blogpost](https://blog.cloudflare.com/agent-readiness/). ## WAF - WAF Release - 2026-05-11 **Key Findings** - Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage. **Continuous Rule Improvements** We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 23ac4a9e53f94467ba470c9468b3c389 N/A Remote Code Execution - Java Deserialization - Body - Beta Block Disabled This is a new detection. This rule is merged into the original rule "Remote Code Execution - Java Deserialization" (ID: 36b0532eb3c941449afed2d3744305c4 ). ## Workers, WAF - WAF and framework adapter mitigations for React and Next.js vulnerabilities Multiple security vulnerabilities were disclosed by the React team and Vercel affecting React Server Components and Next.js. These include denial of service, middleware and proxy bypass, server-side request forgery, cross-site scripting, and cache poisoning issues across a range of severity levels. **We strongly recommend updating your application and its dependencies immediately.** Patched versions are available for React (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` `19.0.6`, `19.1.7`, and `19.2.6`) and Next.js (`15.5.16` and `16.2.5`). #### WAF protections Cloudflare WAF rules deployed in response to prior React Server Component CVEs ([`CVE-2025-55184`](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) and [`CVE-2026-23864`](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg)) already provide coverage for the newly disclosed denial-of-service vulnerabilities. These rules are enabled by default with a Block action for all customers using the Cloudflare Managed Ruleset, including Free plan customers using the Free Managed Ruleset. Ruleset Rule description Rule ID Default action Cloudflare Managed Ruleset React - DoS - [`CVE-2025-55184`](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) `2694f1610c0b471393b21aef102ec699` Block Cloudflare Managed Ruleset React - DoS - [`CVE-2026-23864`](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg) `aaede80b4d414dc89c443cea61680354` Block The existing rules detect the underlying attack patterns generically. As a result, they apply to the new [`CVE-2026-23870`](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) denial-of-service vulnerability in Server Components and the corresponding Next.js advisory [`GHSA-8h8q-6873-q5fj`](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj). Cloudflare is investigating whether WAF rules can be safely and effectively deployed for three of the high-severity advisories: [`CVE-2026-23870`](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) / [`GHSA-8h8q-6873-q5fj`](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj), [`GHSA-267c-6grr-h53f`](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f), and [`GHSA-mg66-mrh9-m8jx`](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx). If it is possible to create a managed WAF rule that mitigates these CVEs and does not potentially break application behavior, Cloudflare will add additional managed WAF rules. These rules will be announced through the [WAF changelog](https://developers.cloudflare.com/waf/change-log/changelog/). Because these vulnerabilities were shared with Cloudflare with minimal advance notice, we are still investigating what WAF mitigations are possible. Several of the disclosed vulnerabilities are not possible to block in WAF. We strongly recommend updating your applications so they are not purely reliant on WAF mitigations. Customers on Pro, Business, or Enterprise plans should ensure that [Managed Rules are enabled](https://developers.cloudflare.com/waf/get-started/#1-deploy-the-cloudflare-managed-ruleset). #### Next.js adapters **Vinext:** [Vinext](https://github.com/cloudflare/vinext) is a Vite plugin that reimplements the Next.js API surface. Vinext's latest release is not vulnerable to any of the disclosed CVEs. Vinext's architecture differs from stock Next.js in ways that sidestep the affected code paths. For example, it does not implement the PPR resume protocol, does not expose Pages Router data-route endpoints, and strips internal headers such as `x-nextjs-data` at request boundaries. As an extra layer of defense, we added a React `19.2.6` or later requirement when running `vinext init` ([PR #1118](https://github.com/cloudflare/vinext/pull/1118), [PR #1112](https://github.com/cloudflare/vinext/pull/1112)) to prevent accidentally running a vulnerable version of React with Vinext. **OpenNext on Cloudflare:** OpenNext is an adapter that lets you deploy Next.js apps to the Cloudflare Workers platform. OpenNext itself is not directly vulnerable to the React denial-of-service CVE, but users must update the Next.js version in their application. The OpenNext team has updated the adapter to further harden against these vectors and released a new version of the Cloudflare adapter. Test fixtures and examples have been updated to use patched versions ([PR #1255](https://github.com/opennextjs/opennextjs-cloudflare/pull/1255)). #### Summary of disclosed vulnerabilities Advisory Severity Issue WAF status [`CVE-2026-23870`](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) / [`GHSA-8h8q-6873-q5fj`](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) High Denial of service in Server Components **WAF rules in place:** `2694f1610c0b471393b21aef102ec699`, `aaede80b4d414dc89c443cea61680354` Cloudflare is investigating additional managed WAF coverage [`GHSA-267c-6grr-h53f`](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) High Middleware bypass via segment-prefetch routes Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule [`GHSA-mg66-mrh9-m8jx`](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) High Denial of service via connection exhaustion in Cache Components Cloudflare is investigating if this can be safely and effectively mitigated by a managed WAF rule [`GHSA-492v-c6pp-mqqv`](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) High Middleware bypass via dynamic route parameter injection Not possible to safely enable a managed WAF rule without potentially breaking application behavior [`GHSA-c4j6-fc7j-m34r`](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) High SSRF via WebSocket upgrades Not possible to safely enable a managed WAF rule without potentially breaking application behavior [`GHSA-36qx-fr4f-26g5`](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) High Middleware bypass in Pages Router i18n Custom WAF rule possible; global managed rule could potentially break application behavior [`GHSA-ffhc-5mcf-pf4q`](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) Moderate XSS via CSP nonces Custom WAF rule possible; global managed rule could potentially break application behavior [`GHSA-gx5p-jg67-6x7h`](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) Moderate XSS in `beforeInteractive` scripts Not possible to safely enable a managed WAF rule without potentially breaking application behavior [`GHSA-h64f-5h5j-jqjh`](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) Moderate Denial of service in Image Optimization API Custom WAF rule possible; global managed rule could potentially break application behavior [`GHSA-wfc6-r584-vfw7`](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) Moderate Cache poisoning in RSC responses Custom WAF rule possible; global managed rule could potentially break application behavior [`GHSA-vfv6-92ff-j949`](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) Low Cache poisoning via RSC cache-busting collisions Not possible to safely enable a managed WAF rule without potentially breaking application behavior [`GHSA-3g8h-86w9-wvmq`](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) Low Middleware redirect cache poisoning Custom WAF rule possible; global managed rule could potentially break application behavior ## WAF - WAF Release - 2026-05-07 - Emergency This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575). **Key Findings** CVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes Successful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries. We strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 1de95bf6d6374e1099854278e77e4a53 N/A Next.js - Middleware Bypass via Invalid RSC Header - CVE:CVE-2026-44575 N/A Disabled This is a new detection. ## Security Center - CSV export and adjustable page density for RFIs You can now export your Requests for Information (RFI) history to a **CSV document** and customize your dashboard view by choosing how many RFI records to load per page. #### Why this matters These quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently: - The new **CSV export** allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry - With **adjustable page density**, you can now choose to load more records at once (10, 25 or 50) to scan through history faster Cloudforce One subscribers can find these new options in [Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information](https://dash.cloudflare.com/?to=/:account/application-security/threat-intelligence/requests). ## Security Center - TAXII support added to Threat Events API The Cloudforce One Threat Events API now supports [**TAXII**](https://www.cloudflare.com/en-gb/learning/security/what-is-stix-and-taxii/) as an output format, enabling standardized, automated sharing of cyber threat intelligence with your existing security stack. #### Why this matters - You can now ingest Cloudforce One threat data directly into your SIEM, TIP or SOAR tools that prefer TAXII-formatted streams without needing custom translation scripts. - By supporting the TAXII format parameter in our API, security teams can automate the synchronization of indicator data, reducing the manual overhead of updating blocklists and detection rules. - This alignment with industry standards ensures that your threat data remains consistent across different security ecosystems and partner integrations. #### How to use it When calling the Threat Events API, you can now specify `taxii` in the `format` query parameter: `GET /accounts/{account_id}/cloudforce_one/threat_events?format=taxii` You can find the updated documentation in the [Cloudflare API Reference](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/methods/list#%28resource%29%20cloudforce_one.threat_events%20%3E%20%28method%29%20list%20%3E%20%28params%29%20default%20%3E%20%28param%29%20format%20%3E%20%28schema%29). ## WAF - WAF Release - 2026-05-04 This week's release focuses on new detections to expand coverage across command injection, SQL injection, PHP object injection, remote code execution, and XSS attack vectors. **Key Findings** - Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage. **Continuous Rule Improvements** We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 607ec27233b54beb8b89386ef0884a68 N/A XSS, HTML Injection - Object Tag - Body (beta) Log Block This is a new detection. This rule is merged into the original rule "XSS, HTML Injection - Object Tag" (ID: e9e3ac45a6d842f1a132fbf70c14e284 ). Cloudflare Managed Ruleset 0087c27420c54168a10bc05eff012303 N/A XSS, HTML Injection - Object Tag - Headers Log Block This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - Headers (beta)" is now renamed to "XSS, HTML Injection - Object Tag - Headers". Cloudflare Managed Ruleset 38dc97853ebf40ed9476ec7816f921d9 N/A XSS, HTML Injection - Object Tag - URI Log Block This is a new detection. The rule previously known as "XSS, HTML Injection - Object Tag - URI (beta)" is now renamed to "XSS, HTML Injection - Object Tag - URI". Cloudflare Managed Ruleset 963cb530f72d4c75b2ae7befdc90d21a N/A Command Injection - Generic 9 - Body Vector - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - Body Vector" (ID: 155bb67d1061479e995a38510677175f ) Cloudflare Managed Ruleset 6ac1b6dfe22449a798cc7021f8960375 N/A Command Injection - Generic 9 - Header Vector - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - Header Vector" (ID: b31c34a7b29b4aaf9be6883d1eb7a999 ) Cloudflare Managed Ruleset 47a9b66dd73a4a558590c4bdef47a800 N/A Command Injection - Generic 9 - URI Vector - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Command Injection - Generic 9 - URI Vector" (ID: 54ad0465c30d4cd2ac7a707197321c6c ) Cloudflare Managed Ruleset d2ae4a8093f245a1b9de71bbbeebf804 N/A Command Injection - Sleep - Body N/A Disabled This is a new detection. The rule previously known as "Command Injection - Sleep" is now renamed to "Command Injection - Sleep - Body". Cloudflare Managed Ruleset da91868c0d3d44afb846e7830d257566 N/A Command Injection - Sleep - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset 04863c61e982464b91778f051856fe86 N/A Command Injection - Sleep - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset 9dc1a0b8dbb7425db619309be6e43c37 N/A Fortinet FortiSandbox - Command Injection - CVE:CVE-2026-39808 Log Block This is a new detection. Cloudflare Managed Ruleset b84c10f5a8f84800905932dc88118795 N/A Remote Code Execution - Common Bash Bypass - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset f496c40011f14bfdb5f55ec79299d53b N/A Remote Code Execution - Common Bash Bypass - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset a5f75abac2664554a984d061b0bf33f9 N/A Remote Code Execution - Common Bash Bypass - Body - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "Remote Code Execution - Common Bash Bypass Body" (ID: 6e2f7a696ea74c979e7d069cefb7e5b9 ). The rule previously known as "Remote Code Execution - Common Bash Bypass Beta" is now renamed to "Remote Code Execution - Common Bash Bypass Body". Cloudflare Managed Ruleset bbb31a886ab54f6c8cdd220d33bfe8b9 N/A PHP Object Injection - 2 - Body - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "PHP Object Injection - 2" (ID: 8ef3c3f91eef46919cc9cb6d161aafdc ) Cloudflare Managed Ruleset e199688ab69746c88c33457f29552387 N/A PHP Object Injection - 2 - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset eb33d40e96c54e929af6ed9c8104f4c5 N/A PHP Object Injection - 2 - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset 76b15b7b122a4be6a40d8aa96a46201e N/A SQLi - DROP - 2 - Beta N/A Disabled This is a new detection. This rule is merged into the original rule "SQLi - DROP - 2" (ID: a967a167874b42b6898be46e48ac2221 ) Cloudflare Managed Ruleset e24b2ef4a5c54f97a62db7a68b7f85ee N/A SQLi - DROP - 2 - Headers N/A Disabled This is a new detection. Cloudflare Managed Ruleset 51123f35f1d249358aea8fb11546b5f0 N/A SQLi - DROP - 2 - URI N/A Disabled This is a new detection. Cloudflare Managed Ruleset d86d8873310d41f2877458a91e053dce N/A SmarterMail - Remote Code Execution - CVE:CVE-2026-24423 Log Block This is a new detection. Cloudflare Managed Ruleset 00da180570d34b5bae2121acd0023a36 N/A SQLi - SELECT Expression - Body Block Disabled Action changed Cloudflare Managed Ruleset c46d9097c9ef419aa4d9f10626cc211f N/A SQLi - String Concatenation - URI Block Disabled Action changed ## WAF - WAF Release - 2026-04-30 - Emergency This emergency release introduces a new rule to block a cPanel & WHM Authentication Bypass related to CVE-2026-41940. **Key Findings** - CVE-2026-41940: A critical authentication bypass vulnerability in cPanel & WHM allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized administrative access to the web hosting control panel. This vulnerability affects the session validation logic, enabling attackers to craft malicious requests that circumvent normal authentication checks. **Impact** Successful exploitation allows unauthenticated attackers to gain administrative control over affected cPanel & WHM installations. This leads to complete server compromise, potential theft or manipulation of hosted data, and significant service disruption across managed environments. We strongly recommend applying official vendor patches for cPanel & WHM immediately to address the underlying vulnerability. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset fb29b1b660864285a5ebac86eb2b9e2f N/A cPanel - Auth Bypass - CVE:CVE-2026-41940 N/A Block This is a new detection. ## WAF - WAF Release - 2026-04-27 This week's release focuses on new improvements to enhance coverage. **Key Findings** - Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage. **Continuous Rule Improvements** We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset d866f980582748568385b94480cec1dd N/A PostgreSQL - SQLi - COPY - Beta Log Block This is a new detection. This rule is merged into the original rule "PostgreSQL - SQLi - COPY - Body (ID: 705a6b5569d5472596910e3ce7265a4e ). The rule previously known as "PostgreSQL - SQLi - COPY" is now renamed to "PostgreSQL - SQLi - COPY - Body". Cloudflare Managed Ruleset 71d133c374d94559aa9fdf042903de89 N/A PostgreSQL - SQLi - COPY - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 9f1b1b7fd28a401b9d5c172d1036cfa6 N/A PostgreSQL - SQLi - COPY - URI Log Block This is a new detection. Cloudflare Managed Ruleset 8e40416659334b8ba789365755ff389e N/A SQLi - AND/OR MAKE\_SET/ELT - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - AND/OR MAKE\_SET/ELT - Body" (ID: 0f41a593c8fe42c38a26f709252d3934 ). The rule previously known as "SQLi - AND/OR MAKE\_SET/ELT" is now renamed to "SQLi - AND/OR MAKE\_SET/ELT - Body". Cloudflare Managed Ruleset 1e0d4372ee1e41b9804b2d5c346487f9 N/A SQLi - AND/OR MAKE\_SET/ELT - Headers Log Block This is a new detection. Cloudflare Managed Ruleset d2c961a164a64cf6b871c9511ac6ceca N/A SQLi - AND/OR MAKE\_SET/ELT - URI Log Block This is a new detection. Cloudflare Managed Ruleset 4dacc0e6f32d4c5da3c2293edd471337 N/A SQLi - Common Patterns - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - Common Patterns - Body" (ID: 98f746d07a6d48ab9dae669acb5d0b9b ). The rule previously known as "SQLi - Common Patterns" is now renamed to "SQLi - Common Patterns - Body". Cloudflare Managed Ruleset 53a374379f2e41e9934791c1975c07b7 N/A SQLi - Common Patterns - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 9efedebfc371443f9fe7308605b1b06b N/A SQLi - Common Patterns - URI Log Block This is a new detection. Cloudflare Managed Ruleset d53a791496d64700870334f4dd0ba3c7 N/A SQLi - Equation - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - Equation - Body" (ID: e7691e1e4f4d4769909f3df6c2eb3e7f ). The rule previously known as "SQLi - Equation" is now renamed to "SQLi - Equation - Body". Cloudflare Managed Ruleset 46efbd3496e64c3f902ad33d3d1c2384 N/A SQLi - Equation - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 46b937649a424b7ead90f6d0e1149ea6 N/A SQLi - Equation - URI Log Block This is a new detection. Cloudflare Managed Ruleset 04d9182545f54ba8a4fa29fe205adbb0 N/A SQLi - AND/OR Digit Operator Digit - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit - Body" (ID: 762dd334ed0b4273816e3ff13893c564 ). The rule previously known as "SQLi - AND/OR Digit Operator Digit" is now renamed to "SQLi - AND/OR Digit Operator Digit - Body". Cloudflare Managed Ruleset a24e7c15503948bc8766481aad2abbaa N/A SQLi - AND/OR Digit Operator Digit - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 0c55eb362df64f92a85aa46753acbc0d N/A SQLi - AND/OR Digit Operator Digit - URI Log Block This is a new detection. Cloudflare Managed Ruleset 18c9879b7e184c559d23c1652b45a97d N/A SQLi - Benchmark Function - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - Benchmark Function - Body" (ID: ac4e9ebfb43a4f3998f6072d2ebc44ad ). The rule previously known as "SQLi - Benchmark Function" is now renamed to "SQLi - Benchmark Function - Body". Cloudflare Managed Ruleset 2adbc36c52324efcb4681b829889aadc N/A SQLi - Benchmark Function - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 69564af3bc54406080deed72491b28e9 N/A SQLi - Benchmark Function - URI Log Block This is a new detection. Cloudflare Managed Ruleset 94b1646f0b0b46ec9b96f7742aa649de N/A SQLi - Comparison - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - Comparison - Body" (ID: 8166da327a614849bfa29317e7907480 ). The rule previously known as "SQLi - Comparison" is now renamed to "SQLi - Comparison - Body". Cloudflare Managed Ruleset 455ce87681bd4200bf53456c39e3e013 N/A SQLi - Comparison - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 8152816062ed47f69be0f907f4bdb492 N/A SQLi - Comparison - URI Log Block This is a new detection. Cloudflare Managed Ruleset d5afd403a0544248b829fe5da1ff3b34 N/A SQLi - String Concatenation - Body - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - String Concatenation - Headers" (ID: 3b0c61407d0b4f7d87e516472116d2fe ).The rule previously known as "SQLi - String Concatenation - Headers" is now renamed to "SQLi - String Concatenation - Body". Cloudflare Managed Ruleset cb0ec290ee454138abe18b750d0e6c3b N/A SQLi - String Concatenation - Headers Log Block This is a new detection.(Former Id was 380099df2bb2469c91ebbb7b846d1940 ) Cloudflare Managed Ruleset c46d9097c9ef419aa4d9f10626cc211f N/A SQLi - String Concatenation - URI Log Block This is a new detection. (Former Id was bd19397228404b85aa3797238fae8c84 ) Cloudflare Managed Ruleset 6542d36980cf4018b4d5e2bfeacc78ab N/A SQLi - SELECT Expression - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - SELECT Expression - Body" (ID: 00da180570d34b5bae2121acd0023a36 ). The rule previously known as "SQLi - SELECT Expression" is now renamed to "SQLi - SELECT Expression - Body". Cloudflare Managed Ruleset 4073f7b575ff45dfb7621b43630bb223 N/A SQLi - SELECT Expression - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 2721e3184d50466ea637e9afdcd6efb5 N/A SQLi - SELECT Expression - URI Log Block This is a new detection. Cloudflare Managed Ruleset 7ecca84c08aa4aad9b5a7bda18c47cea N/A SQLi - ORD and ASCII - Beta Log Block This is a new detection. This rule is merged into the original rule "SQLi - ORD and ASCII- Body" (ID: 2fc38b34a9d744d2a3cbcc41d0d207f9 ). The rule previously known as "SQLi - ORD and ASCII" is now renamed to "SQLi - ORD and ASCII- Body". Cloudflare Managed Ruleset f6d10e10c9514eb49dcc2122bdb1618f N/A SQLi - ORD and ASCII - URI Log Block This is a new detection. Cloudflare Managed Ruleset 60704f5c5513425c94cf77031d0906b6 N/A SQLi - ORD and ASCII - Headers Log Block This is a new detection. Cloudflare Managed Ruleset 700613b191d3479ea2782b4e9fe4eff5 N/A SQLi - Destructive Operations Log Block This is a new detection. ## Security Center - Unified workspace for Brand Protection We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping between individual queries, you can now consolidate your workflow into a single, cohesive view. #### What's new - You can now elect multiple saved queries from your dashboard to generate a consolidated "Combined Matches" view. This allows you to triage results from different brand queries in one unified table - You can open query extended views in distinct tabs within the Brand Protection dashboard. This enables you to maintain multiple investigation contexts simultaneously and switch between them without losing your place. - You can reset your workspace using the new "Clear Selection" action, making it easier to pivot between different investigation sets. #### Key benefits - Eliminate fragmented workflows by viewing all matches across different query buckets in a single table, reducing the need to click through dozens of individual query pages - Correlate related campaigns by seeing similar domains or infrastructure patterns that appear across multiple saved queries Learn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/).