The minimum cacheTtl parameter for Workers KV has been reduced from 60 seconds to 30 seconds. This change applies to both get() and getWithMetadata() methods. This reduction allows you to maintain more up-to-date cached data and have finer-grained control over cache behavior. Applications requiring faster data refresh rates can now configure cache durations as low as 30 seconds instead of the previous 60-second minimum. The cacheTtl parameter defines how long a KV result is cached at the global network location it is accessed from: // Read with custom cache TTLconst value = await env.NAMESPACE.get("my-key", { cacheTtl: 30, // Cache for minimum 30 seconds (previously 60)}); // getWithMetadata also supports the reduced cache TTLconst valueWithMetadata = await env.NAMESPACE.getWithMetadata("my-key", { cacheTtl: 30, // Cache for minimum 30 seconds}); The default cache TTL remains unchanged at 60 seconds. Upgrade to the latest version of Wrangler to be able to use 30 seconds cacheTtl. This change affects all KV read operations using the binding API. For more information, consult the Workers KV cache TTL documentation.
Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using IPsec and GRE tunnel on-ramps (beta). Using BGP peering allows customers to:
Automate the process of adding or removing networks and subnets. Take advantage of failure detection and session recovery features.
With this functionality, customers can:
Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via IPsec and GRE tunnel on-ramps. Secure the session by MD5 authentication to prevent misconfigurations. Exchange routes dynamically between their devices and their Magic routing table.
For configuration details, refer to:
Configure BGP routes for Magic WAN Configure BGP routes for Magic Transit
We have partnered with Black Forest Labs (BFL) again to bring their optimized FLUX.2 [klein] 9B model to Workers AI. This distilled model offers enhanced quality compared to the 4B variant, while maintaining cost-effective pricing. With a fixed 4-step inference process, Klein 9B is ideal for rapid prototyping and real-time applications where both speed and quality matter. Read the BFL blog to learn more about the model itself, or try it out yourself on our multi modal playground. Pricing documentation is available on the model page or pricing page. Workers AI platform specifics The model hosted on Workers AI is optimized for speed with a fixed 4-step inference process and supports up to 4 image inputs. Since this is a distilled model, the steps parameter is fixed at 4 and cannot be adjusted. Like FLUX.2 [dev] and FLUX.2 [klein] 4B, this image model uses multipart form data inputs, even if you just have a prompt. With the REST API, the multipart form data input looks like this: curl --request POST \ --url 'https://api.cloudflare.com/client/v4/accounts/{ACCOUNT}/ai/run/@cf/black-forest-labs/flux-2-klein-9b' \ --header 'Authorization: Bearer {TOKEN}' \ --header 'Content-Type: multipart/form-data' \ --form 'prompt=a sunset at the alps' \ --form width=1024 \ --form height=1024 With the Workers AI binding, you can use it as such: const form = new FormData();form.append("prompt", "a sunset with a dog");form.append("width", "1024");form.append("height", "1024"); // FormData doesn't expose its serialized body or boundary. Passing it to a// Request (or Response) constructor serializes it and generates the Content-Type// header with the boundary, which is required for the server to parse the multipart fields.const formResponse = new Response(form);const formStream = formResponse.body;const formContentType = formResponse.headers.get('content-type'); const resp = await env.AI.run("@cf/black-forest-labs/flux-2-klein-9b", { multipart: { body: formStream, contentType: formContentType, },}); The parameters you can send to the model are detailed here: JSON Schema for Model Required Parameters prompt (string) - Text description of the image to generate Optional Parameters input_image_0 (string) - Binary image input_image_1 (string) - Binary image input_image_2 (string) - Binary image input_image_3 (string) - Binary image guidance (float) - Guidance scale for generation. Higher values follow the prompt more closely width (integer) - Width of the image, default 1024 Range: 256-1920 height (integer) - Height of the image, default 768 Range: 256-1920 seed (integer) - Seed for reproducibility Note: Since this is a distilled model, the steps parameter is fixed at 4 and cannot be adjusted. Multi-reference images The FLUX.2 klein-9b model supports generating images based on reference images, just like FLUX.2 [dev] and FLUX.2 [klein] 4B. You can use this feature to apply the style of one image to another, add a new character to an image, or iterate on past generated images. You would use it with the same multipart form data structure, with the input images in binary. The model supports up to 4 input images. For the prompt, you can reference the images based on the index, like take the subject of image 1 and style it like image 0 or even use natural language like place the dog beside the woman. You must name the input parameter as input_image_0, input_image_1, input_image_2, input_image_3 for it to work correctly. All input images must be smaller than 512x512. curl --request POST \ --url 'https://api.cloudflare.com/client/v4/accounts/{ACCOUNT}/ai/run/@cf/black-forest-labs/flux-2-klein-9b' \ --header 'Authorization: Bearer {TOKEN}' \ --header 'Content-Type: multipart/form-data' \ --form 'prompt=take the subject of image 1 and style it like image 0' \ --form input_image_0=@/Users/johndoe/Desktop/icedoutkeanu.png \ --form input_image_1=@/Users/johndoe/Desktop/me.png \ --form width=1024 \ --form height=1024 Through Workers AI Binding: //helper function to convert ReadableStream to Blobasync function streamToBlob(stream: ReadableStream, contentType: string): PromiseBlob> { const reader = stream.getReader(); const chunks = []; while (true) { const { done, value } = await reader.read(); if (done) break; chunks.push(value); } return new Blob(chunks, { type: contentType });} const image0 = await fetch("http://image-url");const image1 = await fetch("http://image-url");const form = new FormData(); const image_blob0 = await streamToBlob(image0.body, "image/png");const image_blob1 = await streamToBlob(image1.body, "image/png");form.append('input_image_0', image_blob0)form.append('input_image_1', image_blob1)form.append('prompt', 'take the subject of image 1 and style it like image 0') // FormData doesn't expose its serialized body or boundary. Passing it to a// Request (or Response) constructor serializes it and generates the Content-Type// header with the boundary, which is required for the server to parse the multipart fields.const formResponse = new Response(form);const formStream = formResponse.body;const formContentType = formResponse.headers.get('content-type'); const resp = await env.AI.run("@cf/black-forest-labs/flux-2-klein-9b", { multipart: { body: formStream, contentType: formContentType }})
A new Beta release for the Windows WARP client is now available on the beta releases downloads page. This release contains minor fixes, improvements, and new features. Changes and improvements
Improvements to multi-user mode. Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost. Added a new feature to manage NetBIOS over TCP/IP functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in device profile settings. Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0. Improvement for the Windows client certificate posture check to ensure logged results are from checks that run once users log in. Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
Known issues
For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 KB5062553 or higher for resolution.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.
DNS resolution may be broken when the following conditions are all true:
WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while WARP is connected.
To work around this issue, reconnect the WARP client by toggling off and back on.
A new Beta release for the macOS WARP client is now available on the beta releases downloads page. This release contains minor fixes and improvements. Changes and improvements
Fixed an issue causing failure of the local network exclusion feature when configured with a timeout of 0. Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
You can now control how Cloudflare buffers HTTP request and response bodies using two new settings in Configuration Rules. Request body buffering Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server:
ModeBehaviorStandard (default)Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management.FullBuffers the entire request body before sending to origin.NoneNo buffering — the request body streams directly to origin without inspection. Response body buffering Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client:
ModeBehaviorStandard (default)Cloudflare can inspect a prefix of the response body for enabled functionality.NoneNo buffering — the response body streams directly to the client without inspection. WarningSetting body buffering to None may break security functionality that requires body inspection, including the Web Application Firewall (WAF) and Bot Management. Ensure that any paths where you disable buffering do not require security inspection. AvailabilityThese settings only take effect on zones running Cloudflare's latest CDN proxy. Enterprise customers can contact their account team to enable the latest proxy on their zones. API example { "action": "set_config", "action_parameters": { "request_body_buffering": "standard", "response_body_buffering": "none" }} For more information, refer to Configuration Rules.
You can now set the timezone in the Cloudflare dashboard as Coordinated Universal Time (UTC) or your browser or system's timezone. What's New Unless otherwise specified in the user interface, all dates and times in the Cloudflare dashboard are now displayed in the selected timezone. You can change the timezone setting from the user profile dropdown. The page will reload to apply the new timezone setting.
Cloudflare source IPs are the IP addresses used by Cloudflare services (such as Load Balancing, Gateway, and Browser Isolation) when sending traffic to your private networks. For customers using legacy mode routing, traffic to private networks is sourced from public Cloudflare IPs, which may cause IP conflicts. For customers using Unified Routing mode (beta), traffic to private networks is sourced from dedicated, non-Internet-routable private IPv4 range to ensure:
Symmetric routing over private network connections Proper firewall state preservation Private traffic stays on secure paths
Key details:
IPv4: Sourced from 100.64.0.0/12 by default, configurable to any /12 CIDR IPv6: Sourced from 2606:4700:cf1:5000::/64 (not configurable) Affected connectors: GRE, IPsec, CNI, WARP Connector, and WARP Client (Cloudflare Tunnel is not affected)
Configuring Cloudflare source IPs requires Unified Routing (beta) and the Cloudflare One Networks Write permission. For configuration details, refer to Configure Cloudflare source IPs.
This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864). Key Findings
CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864) affects react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionCommentsCloudflare Managed Rulesetaaede80b4d414dc89c443cea61680354 N/AReact Server - DOS - CVE:CVE-2026-23864 - 1N/ABlockThis is a new detection.Cloudflare Managed Ruleset3e93c9faaafa447c83a525f2dcdffcf8 N/AReact Server - DOS - CVE:CVE-2026-23864 - 2N/ABlockThis is a new detection.Cloudflare Managed Ruleset930020d567684f19b05fb35b349edbc6 N/AReact Server - DOS - CVE:CVE-2026-23864 - 3N/ABlockThis is a new detection.
You can now store up to 10 million vectors in a single Vectorize index, doubling the previous limit of 5 million vectors. This enables larger-scale semantic search, recommendation systems, and retrieval-augmented generation (RAG) applications without splitting data across multiple indexes. Vectorize continues to support indexes with up to 1,536 dimensions per vector at 32-bit precision. Refer to the Vectorize limits documentation for complete details.
In an effort to improve overall user security, users without 2FA will be prompted upon login to enroll in email 2FA. This will improve user security posture while minimizing friction. Users without email 2FA enabled will see a prompt to secure their account with additional factors upon logging in. Enrolling in 2FA remains optional, but strongly encouraged as it is the best way to prevent account takeovers. We also made changes to existing 2FA screens to improve the user experience. Now we have distinct experiences for each 2FA factor type, reflective of the way that factor works. For more information
Paid plans can now have up to 100,000 files per Pages site, increased from the previous limit of 20,000 files. To enable this increased limit, set the environment variable PAGES_WRANGLER_MAJOR_VERSION=4 in your Pages project settings. The Free plan remains at 20,000 files per site. For more details, refer to the Pages limits documentation.
You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked. This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed. How it works
Blocked by default: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname. Explicit access required: To allow traffic, create an Access application with an Allow or Bypass policy. Hostname exemptions: You can exempt specific hostnames from this requirement.
To turn on this feature, refer to Require Access protection.
You can now configure Workers to run close to infrastructure in legacy cloud regions to minimize latency to existing services and databases. This is most useful when your Worker makes multiple round trips.
To set a placement hint, set the placement.region property in your Wrangler configuration file:
wrangler.jsonc { "placement": { "region": "aws:us-east-1", },} wrangler.toml [placement]region = "aws:us-east-1"
Placement hints support Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure region identifiers. Workers run in the Cloudflare data center with the lowest latency to the specified cloud region.
If your existing infrastructure is not in these cloud providers, expose it to placement probes with placement.host for layer 4 checks or placement.hostname for layer 7 checks. These probes are designed to locate single-homed infrastructure and are not suitable for anycasted or multicasted resources.
wrangler.jsonc { "placement": { "host": "my_database_host.com:5432", },} wrangler.toml [placement]host = "my_database_host.com:5432"
wrangler.jsonc { "placement": { "hostname": "my_api_server.com", },} wrangler.toml [placement]hostname = "my_api_server.com"
This is an extension of Smart Placement, which automatically places your Workers closer to back-end APIs based on measured latency. When you do not know the location of your back-end APIs or have multiple back-end APIs, set mode: "smart":
wrangler.jsonc { "placement": { "mode": "smart", },} wrangler.toml [placement]mode = "smart"
Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations:
Access: Organizations Revoke — Grants the ability to revoke user sessions in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings. Access: Population Read — Grants read access to the SCIM users and groups synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data. Access: Population Write — Grants write access to the SCIM users and groups synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data.
These permissions are scoped at the account level and can be combined with existing Access permissions. For a full list of available permissions, refer to API token permissions.
Cloudflare Rulesets now includes encode_base64() and sha256() functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result.
New functions
FunctionDescriptionAvailabilityencode_base64(input, flags)Encodes a string to Base64 format. Optional flags parameter: u for URL-safe encoding, p for padding (adds = characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding.All plans (in header transform rules)sha256(input)Computes a SHA256 hash of the input string.Requires enablement NoteThe sha256() function is available as an Enterprise add-on and requires a specific entitlement. Contact your account team to enable it.
Examples Encode a string to Base64 format: encode_base64("hello world") Returns: aGVsbG8gd29ybGQ Encode a string to Base64 format with padding: encode_base64("hello world", "p") Returns: aGVsbG8gd29ybGQ= Perform a URL-safe Base64 encoding of a string: encode_base64("hello world", "u") Returns: aGVsbG8gd29ybGQ Compute the SHA256 hash of a secret token: sha256("my-token") Returns a hash that your origin can validate to authenticate requests. Compute the SHA256 hash of a string and encode the result to Base64 format: encode_base64(sha256("my-token")) Combines hashing and encoding for systems that expect Base64-encoded signatures. For more information, refer to the Functions reference.
Auxiliary Workers are now fully supported when using full-stack frameworks, such as React Router and TanStack Start, that integrate with the Cloudflare Vite plugin. They are included alongside the framework's build output in the build output directory. Note that this feature requires Vite 7 or above. Auxiliary Workers are additional Workers that can be called via service bindings from your main (entry) Worker. They are defined in the plugin config, as in the example below: import { defineConfig } from "vite";import { tanstackStart } from "@tanstack/react-start/plugin/vite";import { cloudflare } from "@cloudflare/vite-plugin"; export default defineConfig({ plugins: [ tanstackStart(), cloudflare({ viteEnvironment: { name: "ssr" }, auxiliaryWorkers: [{ configPath: "./wrangler.aux.jsonc" }], }), ],}); See the Vite plugin API docs for more info.
The .sql file extension is now automatically configured to be importable in your Worker code when using Wrangler or the Cloudflare Vite plugin.
This is particular useful for importing migrations in Durable Objects and means you no longer need to configure custom rules when using Drizzle.
SQL files are imported as JavaScript strings:
// example will be a JavaScript stringimport example from "./example.sql";
In January 2025, we announced the launch of the new Terraform v5 Provider. We greatly appreciate the proactive engagement and valuable feedback from the Cloudflare community following the v5 release. In response, we've established a consistent and rapid 2-3 week cadence for releasing targeted improvements, demonstrating our commitment to stability and reliability. With the help of the community, we have a growing number of resources that we have marked as stable, with that list continuing to grow with every release. The most used resources are on track to be stable by the end of March 2026, when we will also be releasing a new migration tool to you migrate from v4 to v5 with ease. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. Features
custom_pages: add "waf_challenge" as new supported error page type identifier in both resource and data source schemas list: enhance CIDR validator to check for normalized CIDR notation requiring network address for IPv4 and IPv6 magic_wan_gre_tunnel: add automatic_return_routing attribute for automatic routing control magic_wan_gre_tunnel: add BGP configuration support with new BGP model attribute magic_wan_gre_tunnel: add bgp_status computed attribute for BGP connection status information magic_wan_gre_tunnel: enhance schema with BGP-related attributes and validators magic_wan_ipsec_tunnel: add automatic_return_routing attribute for automatic routing control magic_wan_ipsec_tunnel: add BGP configuration support with new BGP model attribute magic_wan_ipsec_tunnel: add bgp_status computed attribute for BGP connection status information magic_wan_ipsec_tunnel: add custom_remote_identities attribute for custom identity configuration magic_wan_ipsec_tunnel: enhance schema with BGP and identity-related attributes ruleset: add request body buffering support ruleset: enhance ruleset data source with additional configuration options workers_script: add observability logs attributes to list data source model workers_script: enhance list data source schema with additional configuration options
Bug Fixes
account_member: fix resource importability issues dns_record: remove unnecessary fmt.Sprintf wrapper around LoadTestCase call in test configuration helper function load_balancer: fix session_affinity_ttl type expectations to match Float64 in initial creation and Int64 after migration workers_kv: handle special characters correctly in URL encoding
Documentation
account_subscription: update schema description for rate_plan.sets attribute to clarify it returns an array of strings api_shield: add resource-level description for API Shield management of auth ID characteristics api_shield: enhance auth_id_characteristics.name attribute description to include JWT token configuration format requirements api_shield: specify JSONPath expression format for JWT claim locations hyperdrive_config: add description attribute to name attribute explaining its purpose in dashboard and API identification hyperdrive_config: apply description improvements across resource, data source, and list data source schemas hyperdrive_config: improve schema descriptions for cache settings to clarify default values hyperdrive_config: update port description to clarify defaults for different database types
For more information
Terraform Provider Documentation on using Terraform with Cloudflare List of stabilized resources
This week's release focuses on improvements to existing detections to enhance coverage. Key Findings
Existing rule enhancements have been deployed to improve detection resilience against SQL injection.
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionCommentsCloudflare Managed Ruleseta291bd530fa346d18cc1ce5a68d90c8f N/ASQLi - Comment - BetaLogBlockThis rule is merged into the original rule "SQLi - Comment" (ID: 42c424998d2a42c9808ab49c6d8d8fe4 )Cloudflare Managed Rulesetda289f9e692e4f5397d915fbfaa045cf N/A SQLi - Comparison - Beta Log Block This rule is merged into the original rule "SQLi - Comparison" (ID: 8166da327a614849bfa29317e7907480 )