{"id":"prod_asvsd1ug1PqS0j2DnzY-5","name":"Cloudflare One","slug":"cloudflare-one","orgId":"org_fW6EY8PY8Cr42ifo1IUAm","url":null,"description":null,"category":"infrastructure","kind":"platform","avatarUrl":null,"createdAt":"2026-06-19T21:03:32.762Z","embeddedAt":"2026-06-19T21:03:34.567Z","deletedAt":null,"sources":[{"id":"src_HK2nmgE5Y4mYG_7XbNmud","slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed","url":"https://developers.cloudflare.com/changelog/?area=cloudflare-one","metadata":"{\"feedUrl\":\"https://developers.cloudflare.com/changelog/rss/cloudflare-one.xml\",\"feedType\":\"unknown\",\"feedDiscoveredAt\":\"2026-06-19T21:04:44.630Z\",\"noFeedFound\":false,\"feedContentDepth\":\"full\",\"feedEtag\":\"\\\"38bc86a8bffaf36e5ca6ec9d0d9aa148\\\"\",\"feedContentLength\":\"591605\",\"enrichment\":{\"consecutiveFailures\":1}}","kind":null}],"tags":[],"aliases":[],"notice":null,"releases":[{"id":"rel_H8A58ZL7KMYQRh6J87cTB","version":null,"type":"feature","title":"Cloudflare Mesh, Cloudflare Tunnel, Cloudflare WAN, Cloudflare One - Manage all your routes from one page in the dashboard","summary":"The **Routes** page in the Cloudflare dashboard now shows the routes across all of your connectors — [Cloudflare Mesh](https://developers.cloudflare.c...","titleGenerated":null,"titleShort":null,"content":"The **Routes** page in the Cloudflare dashboard now shows the routes across all of your connectors — [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) and [Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/) routes alongside [Cloudflare WAN](https://developers.cloudflare.com/cloudflare-wan/) and [Magic Transit](https://developers.cloudflare.com/magic-transit/) static routes — in a single table, instead of a separate routes view per product.\n\n![The unified Routes page in the Cloudflare dashboard, showing routes across connectors in a single table](https://developers.cloudflare.com/_astro/2026-06-19-unified-routes.B3igBY20_Z1awHp.webp)\n\nFrom the unified Routes page you can:\n\n- **Visualize your network with an interactive map** that shows how your destinations flow through to your connectors — including equal-cost multi-path (ECMP) routes where the same prefix is served by several connectors. Select a node to filter the table down to the routes behind it.\n- **See every route in one table**, with its destination, type, connector, priority, and source, and filter or sort to find what you need.\n- **Create, edit, and delete routes** of any supported type without leaving the page. When adding a Cloudflare WAN or Magic Transit static route, you now pick the next hop by **connector name** instead of typing its IP.\n- **Manage [virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/virtual-networks/)** from a dedicated tab.\n- **Test a route** to see which connector and next hop a destination resolves to before you commit a change.\n\nTo find it, go to **Networking** > **Routes** in the dashboard sidebar.\n\n[Go to **Routes**](https://dash.cloudflare.com/?to=/:account/magic-networks/routes)\n\nYour existing routes, APIs, and configurations are unchanged — this is a dashboard experience that brings them together in one place. Learn how to [add routes](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/) and [manage virtual networks](https://developers.cloudflare.com/cloudflare-one/networks/virtual-networks/).","publishedAt":"2026-06-19T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-19-unified-routes-page/","media":[{"type":"image","url":"https://developers.cloudflare.com/_astro/2026-06-19-unified-routes.B3igBY20_Z1awHp.webp","alt":"The unified Routes page in the Cloudflare dashboard, showing routes across connectors in a single table","r2Key":"releases/b527a4e6246620ee391258d901927b626c5f12a250efd6b82468f66756f3c102.webp","r2Url":"https://media.releases.sh/releases/b527a4e6246620ee391258d901927b626c5f12a250efd6b82468f66756f3c102.webp"}],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":2135,"contentTokens":459,"composition":null},{"id":"rel_saId7R5DHuFAVbZntw3FQ","version":null,"type":"feature","title":"Cloudflare One, Access - Cloudflare identity provider is now the default for new accounts","summary":"When you create a new Zero Trust organization, Cloudflare now adds the [Cloudflare identity provider](https://developers.cloudflare.com/cloudflare-one...","titleGenerated":null,"titleShort":null,"content":"When you create a new Zero Trust organization, Cloudflare now adds the [Cloudflare identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/cloudflare/) as your default login method. Previously, new organizations started with [one-time PIN (OTP)](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/one-time-pin/).\n\nWith the Cloudflare identity provider, your users authenticate using their existing Cloudflare account credentials, and authentication is restricted to members of your account. You can still add OTP or connect any [third-party identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/) whenever you need to.\n\nThis change only applies to newly created accounts. Existing organizations keep the login methods they already have configured. If you would like to use the Cloudflare Identity Provider in an existing account, you must enable it.","publishedAt":"2026-06-18T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-18-cloudflare-idp-default/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":969,"contentTokens":183,"composition":null},{"id":"rel_SG0Bq9bSi_rm0IQHzGtIt","version":null,"type":"feature","title":"Data Loss Prevention - Define custom topics for AI prompt protection","summary":"You can now define custom topics for AI prompt protection. Predefined [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-pr...","titleGenerated":null,"titleShort":null,"content":"You can now define custom topics for AI prompt protection. Predefined [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) cover common content and intent categories such as PII, source code, and jailbreak attempts. Custom topics let you detect unique or proprietary concepts that are not included in predefined categories.\n\nYou describe a custom topic in natural language, and Cloudflare DLP detects whether a prompt matches that topic based on context rather than specific keywords. For example, a topic that describes confidential merger discussions matches a prompt that paraphrases the deal, even when the prompt never uses the word merger or names the companies involved. To detect literal values such as internal codenames or product identifiers, use a [custom wordlist or pattern entry](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#custom-wordlist-datasets) instead.\n\nCustom topics run through the same [application granular controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls) path as predefined AI prompt topics. Custom topics are available for ChatGPT, Google Gemini, Perplexity, and Claude.\n\n#### Create a custom AI prompt topic\n\n1. In the [Cloudflare dashboard](https://dash.cloudflare.com/), go to **Zero Trust** > **Data loss prevention** > **Detection entries**.\n2. Select **AI prompt topics**, then select **Custom Prompt Topic**.\n3. Describe the topic in natural language. Be specific about the concept you want to detect. For example, describe unreleased product roadmap details or confidential customer contract terms.\n4. Add this detection entry to an existing DLP profile, or [create a new DLP profile](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/#build-a-custom-profile).\n5. Use the profile in a Gateway HTTP policy to log or block prompts that match the topic.\n\nNote\n\nWrite the description as a concept to classify, not a list of keywords. For example, describe \"internal financial forecasts and unreleased revenue figures\" rather than listing specific document names.\n\nFor more information, refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics).","publishedAt":"2026-06-11T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-11-custom-ai-prompt-topics/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":2448,"contentTokens":492,"composition":null},{"id":"rel_eTCOPIAiZXz5st-jFLwn-","version":null,"type":"feature","title":"Gateway, Cloudflare Mesh, Workers VPC - Filter Workers' public Internet traffic using Gateway policies","summary":"Workers using a [VPC Network](https://developers.cloudflare.com/workers-vpc/configuration/vpc-networks/) binding with `network_id: \"cf1:network\"` now ...","titleGenerated":null,"titleShort":null,"content":"Workers using a [VPC Network](https://developers.cloudflare.com/workers-vpc/configuration/vpc-networks/) binding with `network_id: \"cf1:network\"` now egress to public Internet destinations through [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). This means your existing Zero Trust traffic policies — DNS, HTTP, Network, and egress — extend to traffic that originates from your Workers, the same way they do for WARP users today.\n\n1. [Worker](https://developers.cloudflare.com/workers/)\n    \n    Calls `env.EGRESS.fetch()`\n    \n2. [VPC binding](https://developers.cloudflare.com/workers-vpc/) ↓\n3. [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/)\n    \n    Bind via [`cf1:network`](https://developers.cloudflare.com/workers-vpc/configuration/vpc-networks/)\n    \n4. ↓\n5. [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)\n    \n    Policies applied:\n    \n    [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/)\n    \n6. ↓\n7. ↗ Public Internet\n    \n    Any public hostname or IP\n    \n\n[Gateway logs DNS HTTP Network](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/)\n\nWhat you get by default:\n\n- **Visibility.** Worker egress shows up in Gateway [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) logs alongside your other traffic, so you can audit what your Workers are calling and when.\n- **Enforcement.** Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block.\n\n- wrangler.jsonc\n    \n    ```jsonc\n    <div><div><span>{</span></div></div><div><div><span>  </span><span>\"</span><span>vpc_networks</span><span>\"</span><span>:</span><span> </span><span>[</span></div></div><div><div><span>    </span><span>{</span></div></div><div><div><span>      </span><span>\"</span><span>binding</span><span>\"</span><span>:</span><span> </span><span>\"EGRESS\"</span><span>,</span></div></div><div><div><span>      </span><span>\"</span><span>network_id</span><span>\"</span><span>:</span><span> </span><span>\"cf1:network\"</span><span>,</span></div></div><div><div><span>      </span><span>\"</span><span>remote</span><span>\"</span><span>:</span><span> </span><span>true</span><span>,</span></div></div><div><div><span>    </span><span>},</span></div></div><div><div><span>  </span><span>],</span></div></div><div><div><span>}</span></div></div>\n    ```\n    \n- wrangler.toml\n    \n    ```toml\n    <div><div><span>[[</span><span>vpc_networks</span><span>]]</span></div></div><div><div><span>binding</span><span> </span><span>=</span><span> </span><span>\"EGRESS\"</span></div></div><div><div><span>network_id</span><span> </span><span>=</span><span> </span><span>\"cf1:network\"</span></div></div><div><div><span>remote</span><span> </span><span>=</span><span> </span><span>true</span></div></div>\n    ```\n    \n\n- JavaScript\n    \n    ```js\n    <div><div><span>// Egress to a public destination — subject to your Gateway policies and logged</span></div></div><div><div><span>const</span><span> </span><span>response</span><span> </span><span>=</span><span> </span><span>await</span><span> </span><span>env</span><span>.</span><span>EGRESS</span><span>.</span><span>fetch</span><span>(</span><span>\"https://api.example.com/data\"</span><span>)</span><span>;</span></div></div>\n    ```\n    \n- TypeScript\n    \n    ```ts\n    <div><div><span>// Egress to a public destination — subject to your Gateway policies and logged</span></div></div><div><div><span>const</span><span> </span><span>response</span><span> </span><span>=</span><span> </span><span>await</span><span> </span><span>env</span><span>.</span><span>EGRESS</span><span>.</span><span>fetch</span><span>(</span><span>\"https://api.example.com/data\"</span><span>)</span><span>;</span></div></div>\n    ```\n    \n\nFor configuration options, refer to [VPC Networks](https://developers.cloudflare.com/workers-vpc/configuration/vpc-networks/). For policy authoring, refer to [Cloudflare Gateway traffic policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/).","publishedAt":"2026-06-05T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-05-gateway-egress/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":4719,"contentTokens":1269,"composition":null},{"id":"rel_CVBKmmANcGM5UaMy-Li0x","version":null,"type":"feature","title":"Access - Share identity providers across accounts with IdP federation","summary":"Cloudflare Access now supports [IdP federation](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/idp-federation/), whi...","titleGenerated":null,"titleShort":null,"content":"Cloudflare Access now supports [IdP federation](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/idp-federation/), which allows organizations to share a single identity provider across multiple Cloudflare accounts.\n\nInstead of configuring the same IdP (for example, Okta or Entra ID) separately in every account, you configure it once in a source account and share it with the other accounts in your organization. Each recipient account gets a read-only IdP connection that routes authentication back to the source account through a bridge — a hidden application in the source account that brokers the cross-account login. End users sign in with their existing IdP credentials, and each account's Access policies evaluate the resulting identity just like any other IdP login.\n\nKey capabilities:\n\n- **One IdP, many accounts** — Configure your IdP once and share it with all accounts in your organization.\n- **Lifecycle management** — As accounts join or leave your Cloudflare organization, their IdP connections are provisioned and removed automatically — no manual cleanup required.\n- **Immutable recipient connections** — IdP connections in recipient accounts cannot be accidentally modified or deleted.\n\nTo get started, refer to [IdP federation](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/idp-federation/).","publishedAt":"2026-06-04T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-04-idp-federation/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1378,"contentTokens":265,"composition":null},{"id":"rel_zKr3bGcikQpAMgQjUsBNI","version":null,"type":"feature","title":"Access - SAML assertion encryption for identity providers","summary":"Cloudflare Access now supports SAML assertion encryption for identity provider integrations. When turned on, your identity provider encrypts SAML asse...","titleGenerated":null,"titleShort":null,"content":"Cloudflare Access now supports SAML assertion encryption for identity provider integrations. When turned on, your identity provider encrypts SAML assertions using a Cloudflare-managed certificate before sending them through the user's browser. Only Access can decrypt these assertions, protecting sensitive identity data even after TLS termination.\n\nWithout encryption, SAML assertions are transmitted in plaintext and could be visible to browser extensions or client-side malware.\n\n![SAML encryption toggle in the identity provider configuration](https://developers.cloudflare.com/_astro/saml-encryption.J5jmiYv8_ZkhXFT.webp)\n\nSAML encryption includes built-in certificate lifecycle management:\n\n- **Automatic certificate generation**: Access generates an encryption certificate when you turn on SAML encryption for an identity provider.\n- **Certificate rotation**: Rotate certificates without downtime. The previous certificate remains valid until expiration, giving you time to update your IdP.\n- **PEM export**: Copy the certificate in PEM format for manual upload to your IdP, or point your IdP to the SAML metadata endpoint for automatic retrieval.\n\nTo get started, refer to [Encrypt SAML assertions](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-saml/#encrypt-saml-assertions).","publishedAt":"2026-06-03T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-03-saml-assertion-encryption/","media":[{"type":"image","url":"https://developers.cloudflare.com/_astro/saml-encryption.J5jmiYv8_ZkhXFT.webp","alt":"SAML encryption toggle in the identity provider configuration","r2Key":"releases/bcd26ec90a19c09db08d8e0d0bda411c149fb95567d5012a29e0ccff815244c2.webp","r2Url":"https://media.releases.sh/releases/bcd26ec90a19c09db08d8e0d0bda411c149fb95567d5012a29e0ccff815244c2.webp"}],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1327,"contentTokens":251,"composition":null},{"id":"rel_v6cTixp6iA8sawYfdckpG","version":null,"type":"feature","title":"Cloudflare WAN, Cloudflare One - Cisco IOS XE","summary":"The Cisco IOS XE third-party integration guide for Cloudflare WAN has been updated to include:\n\n- Post Quantum Cryptography (PQC)\n- Policy-Based Routi...","titleGenerated":null,"titleShort":null,"content":"The Cisco IOS XE third-party integration guide for Cloudflare WAN has been updated to include:\n\n- Post Quantum Cryptography (PQC)\n- Policy-Based Routing (PBR)\n- IP Service Level Agreement (IP SLA)\n\nThis link will take you directly to the updated [Cisco IOS XE](https://developers.cloudflare.com/cloudflare-wan/configuration/third-party/cisco-ios-xe/) guide.","publishedAt":"2026-06-02T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-06-02-cisco-ios-xe/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":357,"contentTokens":82,"composition":null},{"id":"rel_i-uQ-z3Di1nh_YIu-UU6m","version":"2026.5.1155","type":"feature","title":"Cloudflare One Client - Cloudflare One Client for macOS (version 2026.5.1155.1)","summary":"A new Beta release for the macOS Cloudflare One Client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudf...","titleGenerated":null,"titleShort":null,"content":"A new Beta release for the macOS Cloudflare One Client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).\n\nThis release introduces the new Cloudflare One Client UI for macOS! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:\n\n- Right click context menu to access the most common client actions quickly\n- Built-in captive portal login experience\n\n**Additional Changes and improvements**\n\n- The client now applies DNS search suffixes configured in your [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles) / [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies). Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See [DNS search suffixes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#dns-search-suffixes) for details.\n- Administrators can now control which virtual networks (VNETs) are available to which users via WARP device profile settings in the Zero Trust dashboard. Previously, every VNET in the organization was visible to every device; you can now scope the VNET picker per profile so users only see the networks relevant to them. See [VNET availability](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#vnet-availability) for details.\n- Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume.\n- Added new warp-cli debug commands for interactive connection diagnosis. See [Extra debug logging](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#extra-debug-logging) for details.\n- The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client.\n- Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated [Cloudflare One MDM documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#organization_configs) for details.\n- Client Certificate device-posture checks now support template variables (e.g. `${serial_number}`, `${device_uuid}`) in the Subject Alternative Name field, matching what the documentation has always claimed. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry.\n- Fixed the in-client captive-portal browser rendering a blank \"Success\" page on some airline Wi-Fi networks (United inflight Wi-Fi was the reported case). The browser now reliably loads the airline's real portal page so users can complete sign-in from inside the client instead of having to open a separate browser.\n- Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai\\_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests.\n\n**Known issues**\n\n- Registration may hang at \"Checking your organization configuration\" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.\n- Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via `warp-cli tunnel ip` and `warp-cli tunnel host`. UI support will be added in a future release.","publishedAt":"2026-05-29T00:55:38.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-29-warp-macos-beta/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":4511,"contentTokens":870,"composition":null},{"id":"rel_ipKaxVC5EN8axG56p0I6P","version":"2026.5.1155","type":"feature","title":"Cloudflare One Client - Cloudflare One Client for Windows (version 2026.5.1155.1)","summary":"A new Beta release for the Windows Cloudflare One Client is now available on the [beta releases downloads page](https://developers.cloudflare.com/clou...","titleGenerated":null,"titleShort":null,"content":"A new Beta release for the Windows Cloudflare One Client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).\n\nThis release introduces the new Cloudflare One Client UI for Windows! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:\n\n- Right click context menu to access the most common client actions quickly\n- Built-in captive portal login experience\n\n**Additional Changes and improvements**\n\n- The client now applies DNS search suffixes configured in your [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles) / [network policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies). Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See [DNS search suffixes](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#dns-search-suffixes) for details.\n- Administrators can now control which virtual networks (VNETs) are available to which users via WARP device profile settings in the Zero Trust dashboard. Previously, every VNET in the organization was visible to every device; you can now scope the VNET picker per profile so users only see the networks relevant to them. See [VNET availability](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#vnet-availability) for details.\n- Added mandatory authentication. When enabled via MDM, the Cloudflare One Client blocks all Internet traffic from the moment the machine boots until the user authenticates, closing the visibility gap on newly deployed devices and during re-authentication. See the [announcement blog](https://blog.cloudflare.com/mandatory-authentication-mfa/) and [documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-no-auth-no-internet/) for details.\n- Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume.\n- Added new warp-cli debug commands for interactive connection diagnosis. See [Extra debug logging](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#extra-debug-logging) for details.\n- The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client.\n- Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated [Cloudflare One MDM documentation](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/parameters/#organization_configs) for details.\n- Client Certificate device-posture checks now support template variables (e.g. `${serial_number}`, `${device_uuid}`) in the Subject Alternative Name field, matching what the documentation has always claimed. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry.\n- The UseWebView2 registry value (HKLM\\\\SOFTWARE\\\\Cloudflare\\\\CloudflareWARP\\\\UseWebView2 = y) is once again honored by the new GUI for authentication, so administrators who prefer the embedded WebView2 browser for sign-in can opt back in. This setting was effectively ignored in the previous release; the default browser was always used. This key is now also honored for re-authentications.\n- Fixed a crash in the authentication browser when navigating to a site that prompts for browser permissions (microphone, camera, notifications, etc.). The same fix had previously landed for the captive-portal browser; this extends it to the auth browser.\n- Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai\\_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests.\n\n**Known issues**\n\n- An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.\n- Registration may hang at \"Checking your organization configuration\" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.\n- Split tunnel list configuration is not available in the new UI. Management of Split Tunnel entries is currently only possible via `warp-cli tunnel ip` and `warp-cli tunnel host`. UI support will be added in a future release.\n- Windows ARM may prompt the user to close running applications while trying to install this version. Simply click “Ok” with the default highlighted option.\n- DNS resolution may be broken when the following conditions are all true:\n    -   The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.\n    -   A custom DNS server address is configured on the primary network adapter.\n    -   The custom DNS server address on the primary network adapter is changed while the client is connected.  \n        To work around this issue, please reconnect the client by selecting \"disconnect\" and then \"connect\" in the client user interface.","publishedAt":"2026-05-29T00:55:37.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-29-warp-windows-beta/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":6202,"contentTokens":1201,"composition":null},{"id":"rel_dAqDJxo3-rkQvvtQSYUFL","version":null,"type":"feature","title":"Cloudflare Mesh, Cloudflare One - High availability replica management for Cloudflare Mesh","summary":"The [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) dashboard now shows per-replica details f...","titleGenerated":null,"titleShort":null,"content":"The [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) dashboard now shows per-replica details for [high availability](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) nodes. You can see which replica is active, view each replica's Mesh IP and connection details, and manually trigger failover — all from the node detail page.\n\n![Mesh HA replica tabs showing active and passive replicas with per-replica Mesh IPs and a manual failover option](https://developers.cloudflare.com/_astro/mesh-ha-replicas.Dvf1GMmQ_Z2i6nGi.webp)\n\n#### What's new\n\n- **Replica tabs** on the node detail page — switch between replicas to see each one's Mesh IP, edge data center, origin IP, platform, version, and uptime.\n- **Active/passive badges** identify which replica is currently routing traffic.\n- **Manual failover** — promote a passive replica to active with a single click. The previous active replica switches to standby.\n- **HA badge** in the overview table identifies nodes running multiple replicas.\n- **Active replica IP** shown in the overview table — the dashboard now resolves which replica is active and displays the correct Mesh IP.\n\n#### Manual failover\n\nTo manually promote a passive replica:\n\n1. In the [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/mesh), go to **Networking** > **Mesh**.\n2. Select an HA-enabled node.\n3. Select the passive replica tab.\n4. Select **Promote to active** and confirm.\n\nTraffic reroutes to the promoted replica immediately. Refer to [High availability](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/high-availability/) for details on failover behavior.","publishedAt":"2026-05-28T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-28-mesh-ha-replica-ui/","media":[{"type":"image","url":"https://developers.cloudflare.com/_astro/mesh-ha-replicas.Dvf1GMmQ_Z2i6nGi.webp","alt":"Mesh HA replica tabs showing active and passive replicas with per-replica Mesh IPs and a manual failover option","r2Key":"releases/e33e81d5fc4f34d32b7aa2bec997d16adc94a030c1e7179e012bb5244ce585fd.webp","r2Url":"https://media.releases.sh/releases/e33e81d5fc4f34d32b7aa2bec997d16adc94a030c1e7179e012bb5244ce585fd.webp"}],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1749,"contentTokens":381,"composition":null},{"id":"rel_Mcf754ws8Dy5Aytnz-MKC","version":null,"type":"feature","title":"Access - Tool and prompt aliases for MCP server portals","summary":"When you connect third-party MCP servers through [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp...","titleGenerated":null,"titleShort":null,"content":"When you connect third-party MCP servers through [MCP server portals](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/), you have no control over how the server author named tools or wrote descriptions. Unclear names make it harder for AI agents to select the right tool and harder for users to understand what is available.\n\nYou can now [rename tools and prompts](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#rename-tools-and-prompts-with-aliases) and rewrite their descriptions directly on the portal, without modifying the upstream server. For example, a tool named `super_cool_tool` can become `search_customer_records` with a description tailored to your organization.\n\n![Edit tool modal showing name and description fields for an MCP server tool](https://developers.cloudflare.com/_astro/portal-edit-tool-modal.DrxORhBl_Z1NtRnj.webp)\n\nModified tools display a **Modified** label in the tools list so administrators can see which tools have been customized at a glance.\n\n![Tools authorized list showing a modified label on a renamed tool](https://developers.cloudflare.com/_astro/portal-tools-authorized-modified.B674Xvip_12xxcK.webp)\n\nAliases override the metadata that MCP clients receive. You can set them at two levels:\n\n- **Per portal**: Applies only within a specific portal. Takes precedence over server-level aliases.\n- **Per server**: Applies across all portals that use the server.\n\nYou can reset an alias at any time to restore the original upstream name.\n\nFor more information, refer to [Tool and prompt aliases](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/#rename-tools-and-prompts-with-aliases).","publishedAt":"2026-05-28T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-28-mcp-portal-tool-prompt-aliases/","media":[{"type":"image","url":"https://developers.cloudflare.com/_astro/portal-edit-tool-modal.DrxORhBl_Z1NtRnj.webp","alt":"Edit tool modal showing name and description fields for an MCP server tool","r2Key":"releases/df41193209502f385b6db04ccd4067a26ebd28501e7f694a4f3a9105c220ec1b.webp","r2Url":"https://media.releases.sh/releases/df41193209502f385b6db04ccd4067a26ebd28501e7f694a4f3a9105c220ec1b.webp"},{"type":"image","url":"https://developers.cloudflare.com/_astro/portal-tools-authorized-modified.B674Xvip_12xxcK.webp","alt":"Tools authorized list showing a modified label on a renamed tool","r2Key":"releases/96aef227256bba806c6caef8677d0f35ba647dda04d6fc5dfe37b5d4c05b44fe.webp","r2Url":"https://media.releases.sh/releases/96aef227256bba806c6caef8677d0f35ba647dda04d6fc5dfe37b5d4c05b44fe.webp"}],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1745,"contentTokens":359,"composition":null},{"id":"rel_iAorz8lY30HBwIlbqv5uh","version":null,"type":"feature","title":"Cloudflare Tunnel, Cloudflare Tunnel for SASE - Cloudflare Tunnel now runs connectivity pre-checks at startup","summary":"Starting with [`cloudflared` version 2026.5.2](https://github.com/cloudflare/cloudflared/releases), [Cloudflare Tunnel](https://developers.cloudflare....","titleGenerated":null,"titleShort":null,"content":"Starting with [`cloudflared` version 2026.5.2](https://github.com/cloudflare/cloudflared/releases), [Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/) automates the entire [connectivity pre-checks workflow](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/connectivity-prechecks/) directly inside the binary. Previously, customers had to install `dig` and `netcat` and run those commands by hand to verify their environment. Now `cloudflared` does it natively at startup — and surfaces actionable remediation when something is blocked.\n\n![cloudflared connectivity pre-checks output](https://developers.cloudflare.com/_astro/cloudflared-connectivity-prechecks.DRwN6tGe_c1XGu.webp)\n\nOn every `cloudflared tunnel run` (and `cloudflared tunnel diag`), the binary now natively checks:\n\n- **DNS resolution** — `region1.v2.argotunnel.com` and `region2.v2.argotunnel.com` resolve to valid Cloudflare IPs.\n- **Transport connectivity** — outbound `UDP (QUIC)` and `TCP (HTTP/2)` on port `7844`.\n- **Management API** — outbound `TCP/443` to `api.cloudflare.com` for software updates.\n\nResults are printed in a scannable CLI table with three states:\n\n- ✅ **Pass** — the check succeeded.\n- ⚠️ **Warn** — a non-blocking issue, for example the Management API is unreachable so automatic updates will not work, but the tunnel will still come up.\n- ❌ **Fail** — a blocking issue, with a specific remediation hint (for example, `Allow outbound UDP on port 7844`).\n\nIf DNS is unresolvable, or **both** UDP and TCP fail on port 7844, `cloudflared` exits early with the failure rather than looping on opaque `failed to dial` errors.\n\nPre-checks now run automatically on every start, which also catches regressions like overnight firewall policy changes — no need to remember to rerun the troubleshooting guide.\n\nTo get the new behavior, upgrade `cloudflared` to version `2026.5.2` or later. For more details, refer to the [Connectivity pre-checks documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/connectivity-prechecks/).","publishedAt":"2026-05-27T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-27-cloudflared-connectivity-prechecks/","media":[{"type":"image","url":"https://developers.cloudflare.com/_astro/cloudflared-connectivity-prechecks.DRwN6tGe_c1XGu.webp","alt":"cloudflared connectivity pre-checks output","r2Key":"releases/06825daee11a5f1d213baf50768ac16c7be986809cb653dab0e940dd84657640.webp","r2Url":"https://media.releases.sh/releases/06825daee11a5f1d213baf50768ac16c7be986809cb653dab0e940dd84657640.webp"}],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":2145,"contentTokens":515,"composition":null},{"id":"rel_IGHYm6qqYVSyhSTbIYaQi","version":null,"type":"feature","title":"Cloudflare One, Gateway - Write regex using natural language in Cloudflare One","summary":"[Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) policy selectors which support regular expressions can now be...","titleGenerated":null,"titleShort":null,"content":"[Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) policy selectors which support regular expressions can now be authored in the dashboard using natural language. When building a [policy](https://developers.cloudflare.com/cloudflare-one/traffic-policies/expression-syntax/) with a regex-based selector (like `matches regex`), you can describe what you want to match in plain English and the Cloudflare Agent will generate and validate a corresponding regular expression.\n\n![Write policy regex using natural language](https://developers.cloudflare.com/_astro/gateway-regex-ai-generation.CtJ0S6FS_Z1WVe4K.webp)\n\nTo get started, select a regex-compatible selector in the [Gateway policy builder](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and select the icon. You'll see an input field for natural language, such as \"any URL starting with /api/v1\" or \".com, .net, and .app hosts which contain `gooogle` in the host.\"\n\nYou can also use the tool to explain existing regular expressions. If a policy already contains a regex pattern, you can instantly generate a plain-language description.\n\nA built-in feedback mechanism allows you to rate each interaction to help improve output quality over time.\n\nFor more information, refer to [Cloudflare One firewall policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and expect to see the same functionality supported soon in [Data loss prevention profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/).","publishedAt":"2026-05-27T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-27-cloudy-regex-assistance/","media":[{"type":"image","url":"https://developers.cloudflare.com/_astro/gateway-regex-ai-generation.CtJ0S6FS_Z1WVe4K.webp","alt":"Write policy regex using natural language","r2Key":"releases/48eb984c3074843312c7ce184026ef5563fd0cf34d97b7e5f1c27eb03e158a60.webp","r2Url":"https://media.releases.sh/releases/48eb984c3074843312c7ce184026ef5563fd0cf34d97b7e5f1c27eb03e158a60.webp"}],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1555,"contentTokens":313,"composition":null},{"id":"rel_Be3q9762QConQBXtT_US_","version":"2026.4.1390","type":"feature","title":"Cloudflare One Client - Cloudflare One Client for macOS (version 2026.4.1390.0)","summary":"A new GA release for the macOS Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudf...","titleGenerated":null,"titleShort":null,"content":"A new GA release for the macOS Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).\n\nThis release introduces the new Cloudflare One Client UI for macOS! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:\n\n- Right click context menu to access the most common client actions quickly\n- Built-in captive portal login experience\n\n**Additional Changes and improvements**\n\n- Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.\n- Fixed a proxy mode connection stall issue.\n\n**Known issues**\n\n- Registration may hang at \"Checking your organization configuration\" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.\n- Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via `warp-cli tunnel ip` and `warp-cli tunnel host`. UI support will be added in a future release.","publishedAt":"2026-05-26T22:26:01.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-26-warp-macos-ga/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1236,"contentTokens":237,"composition":null},{"id":"rel_16vtPqeutFPRSrSt40GMo","version":"2026.4.1390","type":"feature","title":"Cloudflare One Client - Cloudflare One Client for Windows (version 2026.4.1390.0)","summary":"A new GA release for the Windows Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/clou...","titleGenerated":null,"titleShort":null,"content":"A new GA release for the Windows Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).\n\nThis release introduces the new Cloudflare One Client UI for Windows! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:\n\n- Right click context menu to access the most common client actions quickly\n- Built-in captive portal login experience\n\n**Additional Changes and improvements**\n\n- Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.\n- Fixed a proxy mode connection stall issue.\n\n**Known issues**\n\n- Registration authentication for devices via the integrated WebView2 browser is unavailable in this version as a temporary measure. As a result, the client will utilize the default browser on the device to complete the authentication process.\n- An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.\n- Registration may hang at \"Checking your organization configuration\" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.\n- Split tunnel list configuration is not available in the new UI. Management of Split Tunnel entries is currently only possible via `warp-cli tunnel ip` and `warp-cli tunnel host`. UI support will be added in a future release.\n- Windows ARM may prompt the user to close running applications while trying to install this version. Simply click “Ok” with the default highlighted option.\n- DNS resolution may be broken when the following conditions are all true:\n    -   The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.\n    -   A custom DNS server address is configured on the primary network adapter.\n    -   The custom DNS server address on the primary network adapter is changed while the client is connected.  \n        To work around this issue, please reconnect the client by selecting \"disconnect\" and then \"connect\" in the client user interface.","publishedAt":"2026-05-26T22:26:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-26-warp-windows-ga/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":2309,"contentTokens":439,"composition":null},{"id":"rel_i86tCZvsdGv8Bs7Hxrl-u","version":"2026.4.1390","type":"feature","title":"Cloudflare One Client - Cloudflare One Client for Linux (version 2026.4.1390.0)","summary":"A new GA release for the Linux Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudf...","titleGenerated":null,"titleShort":null,"content":"A new GA release for the Linux Cloudflare One Client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).\n\nThis release introduces the new Cloudflare One Client UI for Linux! You can expect a cleaner and more intuitive design as well as easier access to common actions and information. Here are some of the many things we have found our users appreciate:\n\n- Right click context menu to access the most common client actions quickly\n- Built-in captive portal login experience\n\n**Changes and improvements**\n\n- Added a new CLI command: warp-cli mdm refresh. This command executes an immediate refresh of the Mobile Device Management (MDM) configuration file.\n- Official support for RHEL 9 has been added for Cloudflare Mesh nodes. To install the RHEL 9 package, the Extra Packages for Enterprise Linux (EPEL) repository must be active, as it contains dependencies required for the tray icon and captive portal webview.\n- Fixed a proxy mode connection stall issue.\n\n**Known issues**\n\n- Registration may hang at \"Checking your organization configuration\" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.\n- Split tunnel list configuration is not available in the new UI. Management of split tunnel entries is currently only possible via `warp-cli tunnel ip` and `warp-cli tunnel host`. UI support will be added in a future release.","publishedAt":"2026-05-26T20:32:41.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-26-warp-linux-ga/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1485,"contentTokens":293,"composition":null},{"id":"rel_PKMNp0HJb3Onst88y8Abp","version":null,"type":"feature","title":"Cloudflare Fundamentals, Cloudflare One, Cloudflare Tunnel for SASE, Cloudflare Tunnel, Cloudflare Mesh - Granular permissions for Cloudflare Tunnel and Cloudflare Mesh","summary":"You can now scope Cloudflare permissions to individual [Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/) instances and [Cloudflare Mesh](...","titleGenerated":null,"titleShort":null,"content":"You can now scope Cloudflare permissions to individual [Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/) instances and [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) nodes. Administrators can delegate access to specific Tunnels or Mesh nodes without granting account-wide control over private networking.\n\n#### What is new\n\nWhen you [add a member](https://developers.cloudflare.com/fundamentals/manage-members/manage/) or create a [permission policy](https://developers.cloudflare.com/fundamentals/manage-members/policies/), the resource picker now lists [Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/) instances and [Cloudflare Mesh](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-mesh/) nodes as scopable resource types. You can:\n\n- Grant a read-only role on a single Cloudflare Tunnel instance to a support operator for log streaming and diagnostics — without exposing other Tunnels or destructive actions.\n- Grant a write role on a specific Cloudflare Mesh node to an application team — without giving them access to the rest of your private network.\n- Scope a single policy to one or many Tunnels and Mesh nodes at once.\n\n#### How it works\n\nGranular permissions are a parallel layer to existing account-level roles — they do not replace them.\n\n- **Existing account-level roles continue to work.** A member with `Cloudflare Access` or `Cloudflare Zero Trust` retains write access to every Tunnel and Mesh node in the account. This ensures backward compatibility for existing automation and tokens.\n- **Granular permissions are additive.** For any API request on a specific Tunnel or Mesh node, access is granted if the principal has **either** the account-level role **or** a granular permission for that resource.\n- **Resource enumeration is authorization-aware.** Listing endpoints (`GET /accounts/{id}/cfd_tunnel`, `GET /accounts/{id}/warp_connector`) return only the resources the principal has at least read access to.\n\n#### Get started\n\n- Configure [granular permissions for Cloudflare Tunnel](https://developers.cloudflare.com/tunnel/advanced/granular-permissions/).\n- Configure [granular permissions for Cloudflare Tunnel and Cloudflare Mesh in Cloudflare One](https://developers.cloudflare.com/cloudflare-one/networks/connectors/granular-permissions/).\n- Review the [resource-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles) on the Cloudflare role reference.","publishedAt":"2026-05-21T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-21-tunnel-mesh-granular-permissions/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":2547,"contentTokens":516,"composition":null},{"id":"rel_s2xXcBc8UJT931IUnmM86","version":null,"type":"feature","title":"Access - Cloudflare as identity provider and account membership selector","summary":"Cloudflare Access now supports using Cloudflare itself as an [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identit...","titleGenerated":null,"titleShort":null,"content":"Cloudflare Access now supports using Cloudflare itself as an [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/cloudflare/). If you publish an Access application and select Cloudflare as the login method, users can sign in with their existing Cloudflare account — no one-time PINs, no third-party IdP configuration, and no shared email inboxes. Authentication is backed by Cloudflare's own account security (including multi-factor authentication), making it both simpler to set up and more secure than OTP-based login for most use cases.\n\nCloudflare is now the **default identity provider for all newly created Zero Trust accounts**, replacing One-time PIN.\n\nThis also enables two new capabilities:\n\n- **Cloudflare Account Member selector** — A new [policy selector](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#cloudflare-access-selectors) that matches users based on their membership in a Cloudflare account. You can target the current account or specify a different account ID for cross-account access scenarios.\n- **Restrict to account members** — An identity provider configuration option that limits authentication to users who are members of your Cloudflare account.\n\nTo get started, add Cloudflare as an [identity provider](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/cloudflare/) in your Zero Trust settings.","publishedAt":"2026-05-19T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-19-cloudflare-as-identity-provider/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1435,"contentTokens":274,"composition":null},{"id":"rel_OwwdvhA7cnQm8qY_IRCde","version":null,"type":"feature","title":"CASB - CASB adds support for Claude Compliance API","summary":"[Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) now integrates with the [Claude Compliance ...","titleGenerated":null,"titleShort":null,"content":"[Cloudflare CASB](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) now integrates with the [Claude Compliance API](https://support.claude.com/en/articles/13015708-access-the-compliance-api). This enhancement gives security teams visibility into Claude usage patterns, admin activity, and compliance-relevant events across their organization.\n\nThe Claude Compliance API provides structured access to audit logs and administrative actions within Claude Enterprise and Claude Platform. Cloudflare CASB ingests this data to surface security findings that help organizations enhance their security posture and enforce AI governance.\n\n#### Key capabilities\n\nStarting today, security teams can scan for security findings across the following assets:\n\n- **Public projects** — Projects set to public visibility\n- **Project attachment** — Files and documents added to projects that violate DLP policies\n- **Chat files** — User-uploaded and provider-generated files that violate DLP policies\n- **Chat messages** — User prompts and provider responses that violate DLP policies\n- **Artifacts** — Provider-generated documents and files that violate DLP policies\n\n#### Learn more\n\nThis [integration](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/) is available to all Cloudflare One customers. New Cloudflare customers can sign up and start with their first two integrations for free. Existing customers can enable the integration directly in the dashboard. The integration begins scanning immediately and surfaces findings in the dashboard within minutes.","publishedAt":"2026-05-19T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-19-casb-claude-compliance-api/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":1622,"contentTokens":304,"composition":null},{"id":"rel_BnSLscohRyZ7J--kVsz7w","version":null,"type":"feature","title":"Cloudflare WAN, Magic Transit - Network Analytics support for Unified Routing","summary":"[Network Analytics](https://developers.cloudflare.com/analytics/network-analytics/) is now fully supported for accounts using [Unified Routing](https:...","titleGenerated":null,"titleShort":null,"content":"[Network Analytics](https://developers.cloudflare.com/analytics/network-analytics/) is now fully supported for accounts using [Unified Routing](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#unified-routing-mode-beta) mode. Traffic that traverses Unified Routing onramps and offramps is now visible in Network Analytics with the same dimensions and filters as traffic on the standard data plane.\n\nThis closes a parity gap for customers who had moved tunnels onto Unified Routing and lost visibility into their dataplane traffic in the Network Analytics dashboard. No configuration change is required — analytics data is collected automatically for all accounts with Unified Routing enabled.\n\nFor the remaining beta limitations, refer to [Traffic steering beta limitations](https://developers.cloudflare.com/cloudflare-wan/reference/traffic-steering/#beta-limitations).","publishedAt":"2026-05-18T00:00:00.000Z","url":"https://developers.cloudflare.com/changelog/post/2026-05-18-unified-routing-network-analytics/","media":[],"prerelease":false,"source":{"slug":"cloudflare-cloudflare-one","name":"Cloudflare One Changelog","type":"feed"},"product":{"slug":"cloudflare-one","name":"Cloudflare One"},"groupSlug":"cloudflare-one","groupName":"Cloudflare One","coverageCount":0,"contentChars":898,"contentTokens":161,"composition":null}],"pagination":{"nextCursor":"2026-05-18T00:00:00.000Z|2026-06-19T21:07:28.683Z|rel_BnSLscohRyZ7J--kVsz7w","limit":20}}