Cloudflare Email security now supports Triage Status Tracking for User Submissions. This enhancement gives SOC teams a streamlined way to track, manage, and prioritize user-submitted emails directly within the Cloudflare One dashboard.
The User Submissions table now includes a Status column with three states: Unreviewed (new submissions awaiting triage), Reviewed (submissions assessed by the SOC team), and Escalated (submissions escalated to team submissions for further investigation). Analysts can quickly update statuses and filter the table to focus on what needs attention.
SOC teams can now organize their triage workflows, avoid duplicate reviews, and make sure critical threats get escalated for deeper investigation—bringing order to the chaos of high-volume submission management.
Triage Status Tracking is automatically available for all Email security customers using the user submissions feature. No additional configuration is required; customers just need to make sure user submissions are being sent to their user submission aliases.
This applies to all Email security packages:
Advantage
Enterprise
Enterprise + PhishGuard
The Workers runtime now automatically sends a reciprocal Close frame when it receives a Close frame from the peer. The readyState transitions to CLOSED before the close event fires. This matches the WebSocket specification and standard browser behavior. This change is enabled by default for Workers using compatibility dates on or after 2026-04-07 (via the web_socket_auto_reply_to_close compatibility flag). Existing code that manually calls close() inside the close event handler will continue to work — the call is silently ignored when the WebSocket is already closed. const [client, server] = Object.values(new WebSocketPair());server.accept(); server.addEventListener("close", (event) => { // readyState is already CLOSED — no need to call server.close(). console.log(server.readyState); // WebSocket.CLOSED console.log(event.code); // 1000 console.log(event.wasClean); // true}); Half-open mode for WebSocket proxying The automatic close behavior can interfere with WebSocket proxying, where a Worker sits between a client and a backend and needs to coordinate the close on both sides independently. To support this use case, pass { allowHalfOpen: true } to accept(): const [client, server] = Object.values(new WebSocketPair()); server.accept({ allowHalfOpen: true }); server.addEventListener("close", (event) => { // readyState is still CLOSING here, giving you time // to coordinate the close on the other side. console.log(server.readyState); // WebSocket.CLOSING // Manually close when ready. server.close(event.code, "done");}); For more information, refer to WebSockets Close behavior.
You can now manage mutual TLS (mTLS) and Bring Your Own Certificate Authority (BYO CA) configurations directly from the Cloudflare dashboard — no API required. Previously, these advanced workflows required the Cloudflare API. The following are now available in the dashboard:
AOP certificate management — Upload and manage your own certificate authorities for Authenticated Origin Pulls (AOP) directly from the dashboard. BYO Client mTLS certificate management — Upload and manage your own CA certificates for client mTLS enforcement without needing API access. CDN hostname to client mTLS certificate mapping — Associate client mTLS certificates with specific hostnames directly from the dashboard.
Cloudflare One Appliance now supports Link Aggregation Control Protocol (LACP), allowing you to bundle up to six physical LAN ports into a single logical interface. Link aggregation increases available bandwidth and eliminates single points of failure on the LAN side of the appliance. This feature is available in beta on physical appliance hardware with the latest OS. No entitlement is required. To configure a Link Aggregation Group, refer to Configure link aggregation groups.
This week's release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging "OnEvent" handlers within HTTP cookies. Key Findings
MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution.
SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation.
XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values.
Impact Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts. RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionCommentsCloudflare Managed Ruleset73ae1cf103da4bacaa2e1a610aa410af N/ALogDisabledGeneric Rules - Command Execution - 5 - BodyThis is a new detection.Cloudflare Managed Ruleseta88a85b0cc5a4bc2abead6289131ec2f N/ALogDisabledGeneric Rules - Command Execution - 5 - HeaderThis is a new detection.Cloudflare Managed Ruleset28518cdc40544979bbd86720551eb9e5 N/ALogBlockGeneric Rules - Command Execution - 5 - URIThis is a new detection.Cloudflare Managed Ruleset1177993d53a1467997002b44d46229eb N/ALogBlockMCP Server - Remote Code Execution - CVE:CVE-2026-23744This is a new detection.Cloudflare Managed Ruleset3d43cdfbc3c14584942f8bc4a864b9c2 N/ALogBlockXSS - OnEvents - CookiesThis is a new detection.Cloudflare Managed Ruleset41153470df2365192b0df74ca78ad04e N/ALogDisabledSQLi - Evasion - BodyThis is a new detection.Cloudflare Managed Ruleset64d812e6d5844d7c9d7a44a440732d48 N/ALogDisabledSQLi - Evasion - HeadersThis is a new detection.Cloudflare Managed Ruleset50de9369ef7c45928a5dfb34e68a99b5 N/ALogDisabledSQLi - Evasion - URIThis is a new detection.Cloudflare Managed Ruleset765ffb5c67b94c9589106c843e8143d2 N/ALogDisabledSQLi - LIKE 3 - BodyThis is a new detection.Cloudflare Managed Ruleset5c3dbd4f115e47c781491fcd70e7fb97 N/ALogDisabledSQLi - LIKE 3 - URIThis is a new detection.Cloudflare Managed Ruleset89fa6027a0334949b1cb2e654c538bd9 N/ALogDisabledSQLi - UNION - 2 - BodyThis is a new detection.Cloudflare Managed Ruleset05946b3458364f1b9d4819d561c439c9 N/ALogDisabledSQLi - UNION - 2 - URIThis is a new detection.Cloudflare Managed Rulesetb2fe5c2a39df4609b6d39908cf33ea10 N/ALogBlockSolarWinds - Auth Bypass - CVE:CVE-2025-40552This is a new detection.
Redesigned "Get Help" Portal for faster, personalized help Cloudflare has officially launched a redesigned "Get Help" Support Portal to eliminate friction and get you to a resolution faster. Previously, navigating support meant clicking through multiple tiles, categorizing your own technical issues across 50+ conditional fields, and translating your problem into Cloudflare's internal taxonomy. The new experience replaces that complexity with a personalized front door built around your specific account plan. Whether you are under a DDoS attack or have a simple billing question, the portal now presents a single, clean page that surfaces the direct paths available to you — such as "Ask AI", "Chat with a human", or "Community" — without the manual triage. What's New
One Page, Clear Choices: No more navigating a grid of overlapping categories. The portal now uses action cards tailored to your plan (Free, Pro, Business, or Enterprise), ensuring you only see the support channels you can actually use. A Radically Simpler Support Form: We've reduced the ticket submission process from four+ screens and 50+ fields to a single screen with five critical inputs. You describe the issue in your own words, and our backend handles the categorization. AI-Driven Triage: Using Cloudflare Workers AI and Vectorize, the portal now automatically generates case subjects and predicts product categories.
Moving complexity to the backend Behind the scenes, we've moved the complexity from the user to our own developer stack. When you describe an issue, we use semantic embeddings to capture intent rather than just keywords. By leveraging case-based reasoning, our system compares your request against millions of resolved cases to route your inquiry to the specialist best equipped to help. This ensures that while the front-end experience is simpler for you, the back-end routing is more accurate than ever. To learn more, refer to the Support documentation or select Get Help directly in the Cloudflare Dashboard.
Cloudflare Email Security now supports DANE (DNS-based Authentication of Named Entities) for MX deployments. This enhancement strengthens email transport security by enabling DNSSEC-backed certificate verification for our regional MX records.
Regional MX hostnames now publish DANE TLSA records backed by DNSSEC, enabling DANE-capable SMTP senders to cryptographically validate certificate identities before establishing TLS connections—moving beyond opportunistic encryption to verified encrypted delivery. DANE support is automatically available for all customers using regional MX deployments. No additional configuration is required; DANE-capable mail infrastructure will automatically validate MX certificates using the published records.
This applies to all Email Security packages:
Advantage Enterprise Enterprise + PhishGuard
Cloudflare has added a new field to the Gateway DNS Logpush dataset:
ResponseTimeMs: Total response time of the DNS request in milliseconds.
For the complete field definitions, refer to Gateway DNS dataset.
We're announcing the public beta of Organizations for enterprise customers, a new top-level Cloudflare container that lets Cloudflare customers manage multiple accounts, members, analytics, and shared policies from one centralized location. What's New Organizations [BETA]: Organizations are a new top-level container for centrally managing multiple accounts. Each Organization supports up to 500 accounts and 500 zones, giving larger teams a single place to administer resources at scale. Self-serve onboarding: Enterprise customers can create an Organization in the dashboard and assign accounts where they are already Super Administrators. Centralized Account Management: At launch, every Organization member has the Organization Super Admin role. Organization Super Admins can invite other users and manage any child account under the Organization implicitly. Shared policies: Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management. Implicit access: Members of an Organization automatically receive Super Administrator permissions across child accounts, removing the need for explicit membership on each account. Additional Org-level roles will be available over the course of the year. Unified analytics: View, filter, and download aggregate HTTP analytics across all Organization child accounts from a single dashboard for centralized visibility into traffic patterns and security events. Terraform provider support: Manage Organizations with infrastructure as code from day one. Provision organizations, assign accounts, and configure settings programmatically with the Cloudflare Terraform provider. Shared policies: Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management. NoteOrganizations is in Public Beta. You must have an Enterprise account to create an organization, but once created, you can add accounts of any plan type where you are a Super Administrator. For more info:
Get started with Organizations Set up your Organization Review limitations
We are partnering with Google to bring @cf/google/gemma-4-26b-a4b-it to Workers AI. Gemma 4 26B A4B is a Mixture-of-Experts (MoE) model built from Gemini 3 research, with 26B total parameters and only 4B active per forward pass. By activating a small subset of parameters during inference, the model runs almost as fast as a 4B-parameter model while delivering the quality of a much larger one. Gemma 4 is Google's most capable family of open models, designed to maximize intelligence-per-parameter. Key capabilities
Mixture-of-Experts architecture with 8 active experts out of 128 total (plus 1 shared expert), delivering frontier-level performance at a fraction of the compute cost of dense models 256,000 token context window for retaining full conversation history, tool definitions, and long documents across extended sessions Built-in thinking mode that lets the model reason step-by-step before answering, improving accuracy on complex tasks Vision understanding for object detection, document and PDF parsing, screen and UI understanding, chart comprehension, OCR (including multilingual), and handwriting recognition, with support for variable aspect ratios and resolutions Function calling with native support for structured tool use, enabling agentic workflows and multi-step planning Multilingual with out-of-the-box support for 35+ languages, pre-trained on 140+ languages Coding for code generation, completion, and correction
Use Gemma 4 26B A4B through the Workers AI binding (env.AI.run()), the REST API at /run or /v1/chat/completions, or the OpenAI-compatible endpoint. For more information, refer to the Gemma 4 26B A4B model page.
A new GA release for the Windows Cloudflare One Client is now available on the stable releases downloads page. This release contains minor fixes and improvements. The next stable release for Windows will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. Changes and improvements
Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. Added monitoring for tunnel statistics collection timeouts. Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support. Fixed unnecessary registration deletion caused by RDP connections in multi-user mode. Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT. Fixed tunnel failing to connect when the system DNS search list contains unexpected characters. Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. Fixed initiating managed network detections checks when no network is available, which caused device profile flapping. Fixed an issue where degraded Windows Management Instrumentation (WMI) state could put the client in a failed connection state loop during initialization.
Known issues
For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution. This warning will be omitted from future release notes. This Windows update was released in July 2025.
Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.
DNS resolution may be broken when the following conditions are all true:
The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode. A custom DNS server address is configured on the primary network adapter. The custom DNS server address on the primary network adapter is changed while the client is connected.
To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.
A new GA release for the macOS Cloudflare One Client is now available on the stable releases downloads page. This release contains minor fixes and improvements. The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. Changes and improvements
Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. Added monitoring for tunnel statistics collection timeouts. Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.
A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page. This release contains minor fixes and improvements. The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information. Changes and improvements
Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config. Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts. Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization. Consumer-only CLI commands are now clearly distinguished from Zero Trust commands. Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting. Added monitoring for tunnel statistics collection timeouts. Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms. Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.
MCP server portals support in-session management of upstream MCP server connections. Users can return to the server selection page at any time to enable or disable servers, reauthenticate, or change which data a server has access to — all without leaving their MCP client.
To return to the server selection page, ask your AI agent with a prompt like "take me back to the server selection page." The portal responds with an authorization URL via MCP elicitation that you open in your browser:
https://./authorize?elicitationId=
From the server selection page you can:
Enable or disable servers — Toggle individual upstream MCP servers on or off. Disabling a server removes its tools from the active session, which reduces context window usage.
Log out and reauthenticate — Log out of a server and log back in to change which data the server has access to, or to reauthenticate with different permissions.
Users can also enable or disable a server inline by asking their AI agent directly, for example "enable the wiki server" or "disable my Jira server."
The portal also automatically prompts connected users to authorize new servers when an admin adds them to the portal. This requires the use of managed OAuth.
For more information, refer to Manage portal sessions.
Cloudflare Logpush now supports BigQuery as a native destination. Logs from Cloudflare can be sent to Google Cloud BigQuery via Logpush. The destination can be configured through the Logpush UI in the Cloudflare dashboard or by using the Logpush API. For more information, refer to the Destination Configuration documentation.
AI Gateway now supports automatic retries at the gateway level. When an upstream provider returns an error, your gateway retries the request based on the retry policy you configure, without requiring any client-side changes. You can configure the retry count (up to 5 attempts), the delay between retries (from 100ms to 5 seconds), and the backoff strategy (Constant, Linear, or Exponential). These defaults apply to all requests through the gateway, and per-request headers can override them. This is particularly useful when you do not control the client making the request and cannot implement retry logic on the caller side. For more complex failover scenarios — such as failing across different providers — use Dynamic Routing. For more information, refer to Manage gateways.
All wrangler workflows commands now accept a --local flag to target a Workflow running in a local wrangler dev session instead of the production API. You can now manage the full Workflow lifecycle locally, including triggering Workflows, listing instances, pausing, resuming, restarting, terminating, and sending events: npx wrangler workflows list --localnpx wrangler workflows trigger my-workflow --localnpx wrangler workflows instances list my-workflow --localnpx wrangler workflows instances pause my-workflow --localnpx wrangler workflows instances send-event my-workflow --type my-event --local All commands also accept --port to target a specific wrangler dev session (defaults to 8787). For more information, refer to Workflows local development.
AI Search supports a wrangler ai-search command namespace. Use it to manage instances from the command line. The following commands are available:
CommandDescriptionwrangler ai-search createCreate a new instance with an interactive wizardwrangler ai-search listList all instances in your accountwrangler ai-search getGet details of a specific instancewrangler ai-search updateUpdate the configuration of an instancewrangler ai-search deleteDelete an instancewrangler ai-search searchRun a search query against an instancewrangler ai-search statsGet usage statistics for an instance The create command guides you through setup, choosing a name, source type (r2 or web), and data source. You can also pass all options as flags for non-interactive use: wrangler ai-search create my-instance --type r2 --source my-bucket Use wrangler ai-search search to query an instance directly from the CLI: wrangler ai-search search my-instance --query "how do I configure caching?" All commands support --json for structured output that scripts and AI agents can parse directly. For full usage details, refer to the Wrangler commands documentation.
Workers Builds now supports Deploy Hooks — trigger builds from your headless CMS, a Cron Trigger, a Slack bot, or any system that can send an HTTP request.
Each Deploy Hook is a unique URL tied to a specific branch. Send it a POST and your Worker builds and deploys.
curl -X POST "https://api.cloudflare.com/client/v4/workers/builds/deploy_hooks/"
To create one, go to Workers & Pages > your Worker > Settings > Builds > Deploy Hooks.
Since a Deploy Hook is a URL, you can also call it from another Worker. For example, a Worker with a Cron Trigger can rebuild your project on a schedule:
JavaScript export default { async scheduled(event, env, ctx) { ctx.waitUntil(fetch(env.DEPLOY_HOOK_URL, { method: "POST" })); },}; TypeScript export default { async scheduled(event: ScheduledEvent, env: Env, ctx: ExecutionContext): Promisevoid> { ctx.waitUntil(fetch(env.DEPLOY_HOOK_URL, { method: "POST" })); },} satisfies ExportedHandlerEnv>;
You can also use Deploy Hooks to rebuild when your CMS publishes new content or deploy from a Slack slash command.
Built-in optimizations
Automatic deduplication: If a Deploy Hook fires multiple times before the first build starts running, redundant builds are automatically skipped. This keeps your build queue clean when webhooks retry or CMS events arrive in bursts. Last triggered: The dashboard shows when each hook was last triggered. Build source: Your Worker's build history shows which Deploy Hook started each build by name.
Deploy Hooks are rate limited to 10 builds per minute per Worker and 100 builds per minute per account. For all limits, see Limits & pricing. To get started, read the Deploy Hooks documentation.
Two new fields are now available in rule expressions that surface Layer 4 transport telemetry from the client connection. Together with the existing cf.timings.client_tcp_rtt_msec field, these fields give you a complete picture of connection quality for both TCP and QUIC traffic — enabling transport-aware rules without requiring any client-side changes. Previously, QUIC RTT and delivery rate data was only available via the Server-Timing: cfL4 response header. These new fields make the same data available directly in rule expressions, so you can use them in Transform Rules, WAF Custom Rules, and other phases that support dynamic fields. New fields
FieldTypeDescriptioncf.timings.client_quic_rtt_msecIntegerThe smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds. Only populated for QUIC (HTTP/3) connections. Returns 0 for TCP connections.cf.edge.l4.delivery_rateIntegerThe most recent data delivery rate estimate for the client connection, in bytes per second. Returns 0 when L4 statistics are not available for the request. Example: Route slow connections to a lightweight origin Use a request header transform rule to tag requests from high-latency connections, so your origin can serve a lighter page variant: Rule expression: cf.timings.client_tcp_rtt_msec > 200 or cf.timings.client_quic_rtt_msec > 200 Header modifications:
OperationHeader nameValueSetX-High-Latencytrue Example: Match low-bandwidth connections cf.edge.l4.delivery_rate > 0 and cf.edge.l4.delivery_rate For more information, refer to Request Header Transform Rules and the fields reference.