What Cloudflare shipped in May 2026

Cloudflare launches Flagship feature flagging with binding API and OpenFeature SDK

Cloudflare introduced Flagship, a feature flagging system integrated with Cloudflare Workers via a binding API. Developers can create boolean flags (e.g., new-checkout) and evaluate them in Workers us…

Cloudflare Workers VPC beta enables private cloud connectivity

Cloudflare launched Workers VPC in beta, allowing Workers to securely connect to private APIs, services, and databases in external clouds (AWS, Azure, GCP, on-prem) via Cloudflare Tunnel. The feature …

Cloudflare launches Network Analytics v2 with near real-time DDoS insights

Cloudflare introduced Network Analytics v2, offering near real-time visibility into network and transport-layer traffic and DDoS attacks. The update requires an Enterprise plan, Magic Transit or Spect…

How we built Cloudflare's data platform and an AI agent on top of it

Cloudflare introduced Town Lake, a unified data analytics platform replacing dozens of disparate systems with a single SQL interface, and Skipper, an AI agent enabling natural-language queries. Both a…

Cloudflare adds named recipient addresses to Email Service API

Cloudflare’s Email Service now supports display names for recipient addresses (to, cc, bcc, from) in addition to plain email strings. Developers can pass objects with email and optional name fields vi…

Cloudflare introduces image transformation flows for automated optimization

Cloudflare launched Flows, a feature enabling automated, no-code image optimization via conditional rules that trigger optimization parameters like format conversion (AVIF/WebP) or responsive sizing. …

Iran's Internet is partially restored, Cloudflare Radar data shows

Cloudflare adds automated connectivity pre-checks to cloudflared 2026.5.2

Cloudflare introduced automated connectivity pre-checks in cloudflared version 2026.5.2 that run every tunnel startup, validating DNS resolution, UDP/TCP connectivity on port 7844, and management API …

Cloudflare Developer Docs

Build without boundaries

Cloudflare cache responses

Anadolu Efes

Fullscript

Stack Overflow

Introduction

Tightknit

Hutchison Telecom Hong Kong

Hutchison Telecom Hong Kong (HTHK) consolidated security and performance onto Cloudflare’s single global platform to modernize its infrastructure, reducing operational complexity and costs while impro…

Mitsubishi Gas Chemical

Kaizen Gaming

Kaizen Gaming, a major sports betting platform with 13M users, reduced backend load by 99% and cut bandwidth costs by over 90% by adopting Cloudflare Durable Objects. The edge-computing solution aggre…

Canva

Canva leverages Cloudflare’s connectivity cloud to secure and scale its global SaaS platform, supporting 260M monthly users. The partnership enables Zero Trust security, bot management, Workers-driven…

Skyscanner

Skyscanner replaced its legacy VPN with Cloudflare’s Zero Trust Network Access, improving global workforce security, simplifying access workflows, and reducing latency to under 200ms for users in Asia…

Intility

CLI

Cloudflare Impact

Hello, Researcher!

Cloudflare Status

Cloudflare adds AI-powered natural language regex generation for Gateway policies

Cloudflare introduced an AI tool in Cloudflare One Gateway that lets users write and explain regex patterns using plain English. The feature generates and validates regex for policy selectors and can …

Cloudflare launches transformation flows for automated image optimization

Cloudflare introduced transformation flows in Images, enabling automated, no-code image optimization rules based on conditions like file extensions or URL paths. The feature supports provider flows fo…

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Cloudflare Tunnel now runs connectivity pre-checks at startup

Cloudflare Tunnel’s cloudflared binary (v2026.5.2+) now runs automated connectivity pre-checks at startup, replacing manual DNS and port checks with dig/netcat. The feature detects DNS issues, UDP/TCP…

2026 05 26 warp macos ga

Cloudflare released the GA version 2026.4.1390.0 of its macOS Cloudflare One Client, featuring a redesigned UI that improves usability and access to common actions. The update is available immediately…

2026 05 26 warp windows ga

Cloudflare released the GA version 2026.4.1390.0 of its Windows Cloudflare One Client, featuring a redesigned, cleaner, and more intuitive UI with easier access to common actions. The update is availa…

Get HTTP requests summary by dimension

Configure tunnel endpoints

Cloudflare introduced bidirectional health checks as the default for WAN tunnels (GRE/IPsec) and clarified anti-replay protection settings, including a default-disabled option for devices like Cisco M…

Configure tunnel endpoints

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Plan features or structure changed

2026 05 26 warp linux ga

Cloudflare released the General Availability (GA) version 2026.4.1390.0 of its Cloudflare One Client for Linux, featuring a new UI with a cleaner, more intuitive design and easier access to common act…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Free: promotion ended (was: forever)

REST API

Cloudflare launched a unified REST API for its AI Gateway, enabling users to call any AI model—hosted by Cloudflare or third parties like OpenAI and Anthropic—through a single API with built-in featur…

Unified Billing

Cloudflare launched Unified Billing for AI Gateway, enabling users to consolidate spending on third-party AI providers (OpenAI, Anthropic, Google AI Studio) into a single Cloudflare bill. A 5% fee app…

Cloudflare Tunnel

Cloudflare updated its Tunnel documentation to emphasize outbound-only connectivity via the cloudflared daemon, enabling secure access to private resources (HTTP, SSH, RDP) without public IPs. This mo…

Manage

Policies

Cloudflare updated its policy system to expose underlying data principles via API, allowing more flexible permission management. Effective permissions are now additive, combining direct assignments an…

Granular permissions

Cloudflare introduced granular permissions to scope member access to individual Tunnel instances, enabling teams to manage specific Tunnels without account-wide access. Existing account-level roles re…

2026 05 26 bypass status for uncacheable responses

Cloudflare now returns a consistent BYPASS status for all uncacheable responses, replacing the previous mix of BYPASS and MISS labels. This change clarifies whether Cloudflare deliberately chose not t…

2026 05 26 public beta

Cloudflare introduced Flagship, a feature flagging system now in public beta, enabling direct evaluation from Cloudflare Workers without outbound HTTP calls. It leverages Workers KV and Durable Object…

Cloudflare Connect on Tour Sydney 2026 announced

Cloudflare announced Connect on Tour Sydney, a one-day event on July 30, 2026, at Hilton Sydney, targeting innovators in security, networking, and AI. The event will showcase unified platform solution…

Cloudflare Immerse São Paulo

Cloudflare announced the third edition of Immerse São Paulo, a one-day event on April 16, 2026, at the Renaissance São Paulo Hotel. The event focuses on practical strategies for modernizing infrastruc…

Cloudflare Immerse Boston

Cloudflare announced the rescheduling of its Immerse roadshow in Boston on April 16, 2026, targeting security, IT, and digital leaders. The event will focus on Zero Trust, SASE, DDoS, application secu…

2026 05 21 rest api

Cloudflare introduced a new REST API for AI Gateway enabling unified calls to any AI model (OpenAI, Anthropic, Google, or Workers AI) via a single endpoint and authentication method. All AI Gateway fe…

Cloudflare modernizes Billing Profile with unified Subscriptions tab and new payment options

Cloudflare launched a redesigned Billing Profile consolidating billing info, payment methods, and subscriptions under a single Subscriptions tab. The update adds support for Apple Pay, Google Pay, Lin…

2026 05 21 vpc networks cloudflare wan

Cloudflare added support for Workers VPC Network bindings to route requests to private services connected via Cloudflare WAN, including tunnels, Mesh nodes, or on-ramps. A single binding can now reach…

2026 05 21 tunnel mesh granular permissions

Cloudflare introduced granular permissions for Cloudflare Tunnel instances and Mesh nodes, allowing administrators to delegate access to specific resources without granting full account-level control.…

Cloudflare Radar adds HTTP request time-series grouping v2

Cloudflare released a new API endpoint in Radar that retrieves HTTP request distributions grouped by 15+ dimensions such as ASN, bot class, content type, device, and TLS version. The endpoint supports…

Cloudflare enables Cloudflare as an identity provider for Access policies

Cloudflare now allows its own platform to serve as an identity provider for Access policies, enabling authentication based on Cloudflare account membership. Users can restrict access to specific accou…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Free: new promotion — forever

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - New tier: Pay-as-you-go ($7/mo user) - Removed: Free (Teams) tier - Removed: Pay-as-you-go (Teams) tier - Removed: Contract (Teams) tier

Cloudflare Immerse Toronto

Cloudflare announced Immerse, a premier roadshow event in Toronto on May 20, 2026, targeting security, IT, and digital leaders. The event focuses on Zero Trust, SASE, DDoS, application security, and A…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - New tier: Free (Teams) ($0/mo) - New tier: Pay-as-you-go (Teams) ($7/mo per user) - New tier: Contract (Teams) (Custom pricing) - Removed: Teams (under 50 users) tier…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - New tier: Teams (under 50 users) ($0/mo) - New tier: Teams (over 50 users) ($7/mo per user) - New tier: Contract (SASE/Workspace) (Custom pricing) - Removed: Pay-as-y…

Cloudflare rolls out refreshed DNS records UX with mobile-first design and advanced filters

Cloudflare is rolling out a refreshed DNS records page in its dashboard starting May 20, 2026, with opt-in availability for all users. The update introduces resizable columns, advanced filters, a mobi…

Cloudflare WAF release enhances detection and blocks Sitecore cache poisoning

Cloudflare deployed enhancements to its WAF managed ruleset on May 20, 2026, improving detection resilience against web attacks and behavioral coverage. A new rule targeting Sitecore cache poisoning (…

Radar - Content type distribution and API traffic share on Cloudflare Radar

Cloudflare Radar introduced two new charts on its traffic page: a content type distribution chart and an API traffic share chart. The content type chart breaks down HTTP response types by category wit…

Cloudflare Artifacts adds event subscriptions for repo lifecycle automation

Cloudflare Artifacts now emits structured events for repository lifecycle changes (creates, deletes, forks, imports, clones, pushes, fetches) that can be subscribed to via Cloudflare Queues. Developer…

Announcing Claude Managed Agents on Cloudflare

Cloudflare and Anthropic launched an integration enabling Claude Managed Agents to run on Cloudflare Sandboxes, offering enhanced security, observability, and scalability. The integration provides lig…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Free: now includes Teams under 50 users or enterprise proof-of-concept tests. - Contract: now includes Organizations building toward full-featured SASE or workspace s…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Plan features or structure changed

Cloudflare Access now supports Cloudflare as identity provider

Cloudflare Access now allows users to authenticate using their existing Cloudflare accounts, replacing One-time PINs as the default identity provider for new Zero Trust accounts. The update includes a…

Artifacts, Queues - Event subscriptions for Artifacts lifecycle events

Cloudflare introduced event subscriptions for Artifacts lifecycle events, enabling real-time notifications for repository changes. Developers can now consume these events via Workers to build commit-d…

Cloudflare Radar adds MRT Explorer for in-browser BGP analysis

Cloudflare Radar introduced MRT Explorer, a browser-based tool that parses Multi-Threaded Routing Toolkit (MRT) dump files to inspect BGP messages, AS paths, and community attributes without uploading…

Cloudflare adds Wrangler commands for Artifacts management

Cloudflare introduced new Wrangler commands to manage Artifacts namespaces, repositories, and repo-scoped tokens, currently in private beta. The commands include listing, creating, retrieving, and del…

Cloudflare adds local dev tunnel support for Wrangler and Vite

Cloudflare now lets developers expose local Wrangler or Vite dev servers via Cloudflare Tunnels, enabling public sharing of previews or webhook testing. Users can generate random or stable hostnames (…

Project Glasswing: what Mythos showed us

Cloudflare’s Project Glasswing tested Anthropic’s Mythos Preview LLM, finding it capable of constructing exploit chains from multiple vulnerabilities and generating working proofs of concept—capabilit…

Workers - Share local dev servers through Cloudflare Tunnel in Wrangler and Vite

Cloudflare introduced a feature allowing developers to share local dev sessions through Cloudflare Tunnel using Wrangler or the Vite plugin, generating a public URL for previews, webhook testing, or c…

Cloudflare removes legacy --remote flag for KV-backed Durable Objects

Cloudflare discontinued support for the deprecated `wrangler dev --remote` flag for KV-backed Durable Objects on May 18, 2026. The flag was never compatible with the recommended SQLite storage backend…

2026 05 18 unified routing network analytics

Cloudflare now supports Network Analytics for accounts using Unified Routing, providing visibility into dataplane traffic without additional configuration. This resolves a parity gap for customers who…

Cloudflare adds Wrangler CLI commands for Artifacts management

Cloudflare introduced new Wrangler CLI commands to manage Artifacts namespaces, repos, and repo-scoped tokens directly from the command line. The update includes commands for listing, creating, retrie…

Cloudflare WAN adds post-quantum IPsec and anycast GRE/ IPsec tunnels

Cloudflare WAN now supports post-quantum IPsec tunnels using ML-KEM-768 hybrid key exchange (RFC 9370) alongside classical DH groups, enhancing resistance to harvest-now-decrypt-later attacks. Both GR…

Cloudflare launches R2 Data Catalog in public beta

Cloudflare introduced R2 Data Catalog, a managed Apache Iceberg data catalog integrated directly into R2 buckets, now in public beta. The feature enables standard Iceberg REST catalog interfaces for t…

Cloudflare R2 SQL expands SQL syntax with JOINs, CTEs, and subqueries

Cloudflare documented expanded SQL support in R2 SQL, including JOINs (all types), common table expressions (CTEs), and subqueries in FROM/IN/NOT IN/EXISTS clauses. The engine remains in public beta a…

Cloudflare expands Workers AI model catalog with 78 new models

Cloudflare’s Workers AI platform now hosts 78 models, including frontier-scale text generators like Moonshot AI’s Kimi K2.6 and OpenAI’s gpt-oss-120b, multimodal models such as Meta’s Llama 4 Scout, a…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Free: promotion ended (was: forever)

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Plan features or structure changed

R2 SQL - R2 SQL now supports JOINs, subqueries, and multi-table queries

Cloudflare’s R2 SQL now supports JOINs, subqueries, and multi-table queries for Iceberg tables stored in R2 Data Catalog. This enables complex analytical queries directly on Cloudflare’s global networ…

Cloudflare emergency WAF release blocks nginx heap overflow exploits (CVE-2026-42945)

Cloudflare issued an emergency WAF update on May 15, 2026, adding two new rules to block exploitation attempts targeting a critical nginx heap buffer overflow vulnerability (CVE-2026-42945). The rules…

Pricing change detected for Cloudflare

Pricing updated for Cloudflare: - Free: new promotion — forever

Pricing discovered for Cloudflare

Pricing updated for Cloudflare: - New tier: Free ($0/mo) - New tier: Pro ($25/mo ($20/mo annually, 20% off)) - New tier: Business ($250/mo ($200/mo annually, 20% off)) - New tier: Contract (Custom pri…

Cloudflare Workers adds Custom Domains for automatic DNS and certificate management

Cloudflare introduced Custom Domains for Workers, enabling automatic DNS record creation and certificate issuance for domain or subdomain routing without manual configuration. This simplifies deployme…

Cloudflare Workers adds versioned and aliased preview URLs for testing

Cloudflare Workers now supports two types of preview URLs—versioned and aliased—to test new Worker versions without deploying to production. Versioned previews auto-generate for each new version, whil…

Our billing pipeline was suddenly slow. The culprit was a hidden bottleneck in ClickHouse

Cloudflare identified a hidden bottleneck in ClickHouse query planning after migrating to a per-namespace partitioning scheme, causing lock contention that slowed billing jobs. They fixed it with shar…

Workers - New Domains tab in the Workers dashboard

Cloudflare introduced a new Domains tab in the Workers dashboard, enabling users to purchase domains via Cloudflare Registrar, add existing domains, and manage Worker routing in one place. The feature…

Cloudflare launches AI chat agent APIs with Durable Objects and SQLite persistence

Cloudflare introduced new AI chat agent APIs—AIChatAgent and useAgentChat—built on Durable Objects and SQLite for automatic message persistence, resumable streaming, and real-time sync. The APIs suppo…

Cloudflare adds One-time PIN login to Zero Trust Access

Cloudflare introduced One-time PIN (OTP) login as an alternative authentication method in its Zero Trust Access service, allowing users to receive a PIN via email instead of relying solely on identity…

Browser Run: now running on Cloudflare Containers, it’s faster and more scalable

Cloudflare rebuilt its Browser Run headless browser service on Cloudflare Containers, increasing concurrent browser capacity from 30 to 120 and spin-up rate from 15 to 60 browsers per minute. Quick Ac…

Announcing Claude Compliance API support with Cloudflare CASB

Cloudflare added support for Anthropic’s Claude Compliance API in its CASB, enabling enterprises to monitor and control Claude usage directly in the Cloudflare dashboard without endpoint agents. The i…

Cloudflare Workers adds 15+ starter templates for rapid project scaffolding

Cloudflare expanded its Cloudflare Workers starter templates with over 15 new GitHub repositories designed to accelerate project setup, including Astro blogs, AI chat apps, Durable Objects-based chat,…

Why Cloudflare is protecting publishers from content piracy

Cloudflare now blocks AI company crawlers by default via its AI Crawl Control, having launched the feature in September 2024. It is also developing a 'Pay Per Crawl' model to let websites charge AI fi…

Cloudflare 發表2026年威脅報告 國家級駭客與網路犯罪者轉向「登入」

2026 Partner Program Guide Details

Cloudflare updates Logpush datasets with new security and monitoring fields

Cloudflare introduced two new Logpush datasets—Email Security Post-Delivery Events and Magic Network Monitoring Flow Logs—along with updated fields in existing datasets like Firewall events and HTTP r…

Agents, Workers - Agents SDK v0.12.4: chat recovery, routing retries, durable Think submissions, and Voice connection control

Cloudflare released Agents SDK v0.12.4 with chat recovery improvements for interrupted sessions, durable Think submissions that persist across restarts, routing retry configuration, and Voice agent co…

Cloudflare Web Analytics /cdn-cgi/rum endpoint now rejects non-POST requests with 405

Cloudflare’s /cdn-cgi/rum beacon endpoint now returns a 405 Method Not Allowed (with Allow: POST, OPTIONS header) for non-POST requests instead of 404, clarifying that the endpoint exists but only acc…

Cloudflare expands Cloudflare One Appliance with hardware and virtual options

Cloudflare updated its Cloudflare One Appliance documentation to clarify deployment options, including pre-installed hardware appliances and downloadable virtual appliances. Both options enable IPsec …

Cloudflare enables custom DHCP options for PXE/iPXE and VoIP in Cloudflare One Appliance

Cloudflare added support for configuring custom DHCP options in its Cloudflare One Appliance DHCP server, enabling PXE/iPXE boot, VoIP provisioning, and vendor-specific client configurations. Changes …

Cloudflare One Virtual Appliance now supports self-serve provisioning via API and Terraform

Cloudflare expanded Cloudflare One Virtual Appliance capabilities with self-serve provisioning via API or Terraform, enabling direct creation, license rotation, and deletion of virtual appliances. The…

Cloudflare adds metrics and analytics for R2 Data Catalog Iceberg REST API and table maintenance

Cloudflare introduced new metrics and analytics for R2 Data Catalog, enabling programmatic monitoring of Iceberg REST API operations and table maintenance jobs (compaction, snapshot expiration) via th…

When "idle" isn't idle: how a Linux kernel optimization became a QUIC bug

A bug in the Linux CUBIC congestion control algorithm, originally fixed in the kernel, was ported to Cloudflare's QUIC implementation (quiche) where it caused the congestion window to remain pinned at…

wrangler@4.90.1

Patch Changes #13866 4e44ce6 Thanks @dependabot ! - Update dependencies of "miniflare", "wrangler" The following dependency versions have been updated: Dependency From To workerd 1.20260507.1 1.202605…

@cloudflare/workers-shared@0.19.6

Patch Changes #13855 dba84c2 Thanks @courtney-sims ! - Temporarily hardcode asset worker cohort to "ent" for latency testing Disables the lookupCohort RPC call and cohort-based version routing in the …

@cloudflare/vite-plugin@1.36.4

Patch Changes #13888 2af4ce0 Thanks @jamesopstad ! - Update Vite to v8.0.12 This updates the bundled Vite module runner to include the bug fix in vitejs/vite#22369 . Updated dependencies [ 4e44ce6 , b…

@cloudflare/vitest-pool-workers@0.16.4

Patch Changes Updated dependencies [ 4e44ce6 , b0cee1d , d878e13 , 971dfe3 , 971dfe3 , 5d936c5 ]: miniflare@4.20260508.0 wrangler@4.90.1

create-cloudflare@2.68.2

Patch Changes #13873 a6914bd Thanks @dependabot ! - Update dependencies of "create-cloudflare" The following dependency versions have been updated: Dependency From To create-vike 0.0.622 0.0.625 #1387…

@cloudflare/pages-shared@0.13.134

Patch Changes Updated dependencies [ 4e44ce6 , 5d936c5 ]: miniflare@4.20260508.0

miniflare@4.20260508.0

Minor Changes #8431 5d936c5 Thanks @penalosa ! - Support workerd autogates via the MINIFLARE_WORKERD_AUTOGATES environment variable. Patch Changes #13866 4e44ce6 Thanks @dependabot ! - Update dependen…

Cloudflare updates WAF rules to block React Server Components RCE (CVE-2025-55182)

Cloudflare deployed and updated WAF rules to block remote code execution (RCE) vulnerabilities, including a new rule for CVE-2025-55182 in React Server Components and enhancements for Monsta FTP, Fort…

Cloudflare adds WAF rules to block Next.js CVE-2025-29927 authentication bypass

Cloudflare introduced new WAF rules to block the Next.js authentication bypass vulnerability (CVE-2025-29927), initially opting rules in for Pro plans and above. The rules target requests with the `x-…

Cloudflare WAF to add Java deserialization detections on May 11, 2026

Cloudflare will release three new WAF managed rules on May 11, 2026, targeting Java deserialization-based remote code execution across request body, headers, and URI. These rules will initially be dis…

2026 05 12 single anycast ip default

Cloudflare now assigns a single IPv4 anycast address by default to new Magic Transit and Cloudflare WAN accounts. The anycast IP automatically advertises from multiple global data centers to handle ne…

Cloudflare Gateway adds AI-powered natural language policy creation

Cloudflare Gateway now lets administrators create DNS, HTTP, and Network firewall policies by describing desired outcomes in plain language. The AI generates a fully configured rule that incorporates …

Cloudflare refreshes Access login page with unified card and mobile improvements

Cloudflare updated its Access login and one-time password pages with a modernized design featuring a unified authentication card, consistent button styling, and improved mobile responsiveness includin…

Cloudflare R2 Data Catalog adds GraphQL Analytics API for Iceberg metrics

Cloudflare’s R2 Data Catalog now exposes metrics via the GraphQL Analytics API, enabling monitoring of Iceberg REST API operations and table maintenance jobs. Two new datasets—`r2CatalogDataOperations…

Cloudflare enables SSH by default for Containers via Wrangler

Cloudflare now enables SSH through Wrangler by default for its Containers product, removing the need to manually set `ssh.enabled` to `true`. Access remains secure, requiring an `ssh-ed25519` public k…

Cloudflare One Client - Cloudflare One Client for Windows (version 2026.4.1350.0)

Cloudflare released the GA version 2026.4.1350.0 of its Windows Cloudflare One Client, featuring a redesigned, cleaner UI with improved navigation and access to common actions. The update is available…

Cloudflare One Client - Cloudflare One Client for macOS (version 2026.4.1350.0)

Cloudflare released the GA version 2026.4.1350.0 of its macOS Cloudflare One Client, featuring a redesigned, cleaner UI with improved navigation and access to common actions. The update is available i…

Cloudflare One Client - Cloudflare One Client for Linux (version 2026.4.1350.0)

Cloudflare released the general availability version 2026.4.1350.0 of its Linux Cloudflare One Client, featuring a redesigned UI that improves usability and access to common actions. The update is ava…

Cloudflare WAF release 2026-05-11: Enhanced detection and rule improvements

Cloudflare deployed managed WAF rule enhancements on May 11, 2026, improving detection resilience against web attacks and behavioral coverage. A new rule for Java Deserialization was merged into an ex…

Cloudflare adds NAT-T support for IKE on UDP port 500

Cloudflare IPsec now supports standard NAT traversal (NAT-T), allowing IKE to begin on UDP port 500 and switch to port 4500 after NAT detection. Previously, devices behind NAT had to initiate IKE on p…

Cloudflare launches GLM-4.7-Flash multilingual AI model on Workers AI

Cloudflare introduced GLM-4.7-Flash, a high-performance multilingual text generation model with a 131,072-token context window, optimized for dialogue, instruction-following, and multi-turn tool calli…

Cloudflare launches Google’s Gemma 4 26B model on Workers AI

Cloudflare added Google’s Gemma 4 26B a4b-it model to its Workers AI platform, offering a 256,000-token context window, function calling, reasoning, and vision capabilities. Pricing is $0.10 per M inp…

Cloudflare to deprecate 18 Workers AI models on May 30, 2026

Cloudflare will deprecate 18 older models in its Workers AI catalog on May 30, 2026, replacing them with newer alternatives like GLM-4.7-Flash and Gemma-4-26B. Kimi K2.5 will be aliased to K2.6, which…

Cloudflare mitigates multiple React and Next.js security vulnerabilities in WAF

Cloudflare announced mitigations for multiple high-severity vulnerabilities in React Server Components and Next.js, including denial-of-service, middleware bypass, SSRF, XSS, and cache poisoning. Exis…

Building for the future

Cloudflare announced a global workforce reduction of over 1,100 employees, citing a need to rearchitect the company for the agentic AI era. The decision is framed as a strategic shift to align with in…

wrangler@4.90.0

Minor Changes #12279 248bc08 Thanks @penalosa ! - Add deprecation warning for delivery_delay in queue producer bindings The delivery_delay setting in [[queues.producers]] was silently having no effect…

Cloudflare Stream adds Workers API bindings for video management

Cloudflare Stream now supports direct API bindings within Workers, enabling programmatic video uploads, direct client-side uploads, video listing, captioning, watermarking, and download management wit…

Cloudflare Workers introduces automatic tracing for end-to-end request visibility

Cloudflare Workers now offers automatic tracing instrumentation to provide end-to-end visibility into request flows across applications, enabling performance bottleneck identification and debugging wi…

Cloudflare Workers introduces Service Bindings for zero-latency Worker-to-Worker communication

Cloudflare Workers now supports Service Bindings, enabling direct, zero-overhead communication between Workers without public URLs. This feature allows RPC-style method calls or HTTP-based fetch reque…

Cloudflare Workers adds OpenTelemetry export for traces and logs

Cloudflare Workers now supports exporting OpenTelemetry-compliant traces and logs to any OTel-compatible destination, enabling integration with existing observability stacks. Users can configure desti…

wrangler@4.89.1

Patch Changes #13824 dd3baf3 Thanks @emily-shen ! - Fix container deployment being skipped for Workers for Platforms user workers Previously, deploying a worker with --dispatch-namespace would early-e…

wrangler@4.89.0

Minor Changes #13055 f3fed88 Thanks @GregBrimble ! - Introducing the cache configuration option for Workers. You can now set { cache: { enabled: true } } in your Wrangler configuration file to enable …

How Cloudflare responded to the “Copy Fail” Linux vulnerability

Cloudflare disclosed a Linux kernel local privilege escalation vulnerability (CVE-2026-31431, 'Copy Fail') on April 29, 2026, and confirmed no customer impact or service disruption. Their existing beh…

Cloudflare announced WAF protections for multiple high-severity vulnerabilities disclosed in React Server Components and Next.js, including denial-of-service, middleware bypass, SSRF, XSS, and cache p…

Cloudflare adds source-based breakout and prioritization to Cloudflare One Appliance

Cloudflare introduced source-based breakout and prioritization rules for Cloudflare One Appliance, allowing traffic matching by source LAN, VLAN, or CIDR in addition to destination. This enables granu…

Cloudflare adds CSV export and adjustable page density for RFIs

Cloudflare introduced CSV export functionality and adjustable page density (10/25/50 records) for Requests for Information (RFI) in the Cloudforce One platform. These updates target power users managi…

Cloudflare launches Stream bindings for Workers to streamline video pipelines

Cloudflare introduced Stream bindings for Workers, enabling direct video interactions (upload, metadata management, signed URL generation) without API tokens or HTTP requests. This allows programmatic…

Cloudflare unifies traces across Workers and Durable Objects

Cloudflare introduced automatic trace propagation across Worker-to-Worker subrequests, including service bindings and Durable Objects, replacing disconnected traces with a single unified trace. This e…

Cloudflare emergency WAF update blocks Next.js middleware bypass vulnerability

Cloudflare issued an emergency WAF release on May 7, 2026, to address CVE-2026-44575, a critical flaw allowing unauthenticated attackers to bypass Next.js App Router middleware via segment-prefetch ro…

Cloudflare mitigates React and Next.js vulnerabilities with WAF rules and framework updates

Cloudflare deployed managed WAF rules to mitigate newly disclosed React and Next.js vulnerabilities, including denial-of-service and middleware bypass issues. Existing rules already cover some CVEs, w…

Cloudflare enables self-serve API provisioning for Cloudflare One Virtual Appliance

Cloudflare introduced API and Terraform support for self-serve provisioning of Cloudflare One Virtual Appliance instances, including license key creation, rotation, and deletion. Users can now automat…

Cloudflare adds custom DHCP options to Cloudflare One Appliance

Cloudflare enabled custom DHCP option configuration on its Cloudflare One Appliance DHCP server, supporting PXE/iPXE boot, VoIP provisioning, and vendor-specific client setups. Options are validated b…

Cloudflare Radar adds TLD performance API endpoints for latency analysis

Cloudflare expanded its Radar API with new endpoints to analyze top-level domain (TLD) authoritative nameserver performance. The API now supports summary and timeseries queries grouped by latency, nam…

Cloudflare Radar adds TLD performance summary API endpoint

Cloudflare introduced a new API endpoint in Radar to summarize top-level domain (TLD) authoritative nameserver performance by dimensions like latency, nameserver latency, or location latency. The endp…

Cloudflare Radar API adds TLD performance timeseries groups

Cloudflare expanded its Radar API with a new endpoint to retrieve timeseries data on top-level domain (TLD) authoritative nameserver performance, grouped by latency dimensions. The API supports multip…

Cloudflare expands Cloudforce One Threat Events API with new query formats and filters

Cloudflare updated its Cloudforce One Threat Events API to support querying all event datasets per account, with new output formats like STIX2 and TAXII, and enhanced search operators including 'in' f…

Cloudflare Radar API adds top ASes by announced IP space endpoint

Cloudflare introduced a new API endpoint under Radar to retrieve the top autonomous systems by announced IP space, ranked by IPv4 /24 or IPv6 /48 counts. The endpoint supports filtering by country, da…

Cloudflare adds RPKI ROA deployment time series to Radar API

Cloudflare introduced a new API endpoint to retrieve RPKI ROA validation ratios over time via `/radar/bgp/rpki/roas/timeseries`. The endpoint supports filtering by ASN, location, and metric type (e.g.…

When DNSSEC goes wrong: how we responded to the .de TLD outage

On May 5, 2026, DENIC published incorrect DNSSEC signatures for the .de TLD, causing validating resolvers like Cloudflare’s 1.1.1.1 to return SERVFAIL for all .de domains. Cloudflare mitigated the iss…

Immerse Southern California

Cloudflare announced Immerse, a roadshow event in Anaheim, CA on May 6, 2026, targeting security and IT leaders to discuss Zero Trust, SASE, DDoS, and AI application deployment. The event highlights C…

Cloudflare Radar adds TLD nameserver performance insights

Cloudflare Radar now tracks TLD authoritative nameserver performance, offering latency metrics, per-nameserver breakdowns, and geographic distribution via new widgets and API endpoints. Users can anal…

Cloudflare adds AI-generated Cloudy summaries to PhishNet for Office 365

Cloudflare introduced Cloudy summaries in PhishNet for Office 365, providing AI-generated context for suspicious emails to speed up investigations. The feature leverages existing detection models with…

Cloudflare Mesh adds IPv6 CIDR route support

Cloudflare Mesh nodes now support advertising IPv6 CIDR routes alongside IPv4, enabling dual-stack or IPv6-only private networks. Users can configure IPv6 routes (e.g., fd00::/64) via dashboard or API…

Cloudflare adds TAXII support to Threat Events API

Cloudflare’s Threat Events API now supports TAXII format for exporting threat data, enabling direct integration with SIEM, TIP, and SOAR tools. This reduces manual overhead by automating indicator syn…

Cloudflare adds Instant Bank Payments via Link for US customers

Cloudflare introduced Instant Bank Payments (IBP) via Link, allowing US-based self-serve accounts to pay directly from bank accounts during checkout. The feature integrates with Link’s one-click walle…

Cloudflare named Leader in Forrester Wave for Edge Development Platforms

Cloudflare was named a Leader in Forrester’s Edge Development Platforms report for Q1 2026, receiving top scores in Vision, Innovation, Roadmap, and AI application development. The report highlights C…

Cloudflare enables Terraform integration for Pipelines and R2 Data Catalog

Cloudflare introduced Terraform support for configuring Pipelines and R2 Data Catalog via the Cloudflare provider (v5.19.0+). The integration automates the creation of R2 buckets, data catalogs, strea…

Terraform Registry

Terraform Registry

Cloudflare enables Apache Spark (Scala) integration with R2 Data Catalog

Cloudflare published a guide demonstrating how to connect Apache Spark (Scala) applications to its R2 Data Catalog for Iceberg table operations. The example includes prerequisites, a sample Scala appl…

Terraform Registry

Cloudflare R2 Data Catalog integrates with DuckDB for Iceberg table queries

Cloudflare added DuckDB support to its R2 Data Catalog, enabling users to query and manage Iceberg tables directly via DuckDB. The integration requires DuckDB 1.4.0+, an R2 API token with catalog perm…

Terraform Registry

Terraform Registry

Cloudflare WAF release expands attack vector coverage with new detections

Cloudflare’s May 4, 2026 WAF release introduces new detections for command injection, SQL injection, PHP object injection, remote code execution, and XSS vectors. Several beta rules are merged into ex…

Cloudflare migrates cache to Pingora for lower latency and RFC compliance

Cloudflare’s cache now runs on Pingora, its Rust-based proxy framework, replacing the previous system. The change delivers lower latency, reduced cache misses, and stricter RFC compliance, including n…

Cloudflare adds keyboard shortcuts to dashboard

Cloudflare introduced keyboard shortcuts for its dashboard, enabling faster navigation and actions without leaving the keyboard. Users can press `?` to view all shortcuts, which include quick navigati…

Cloudflare Radar adds routing widgets for ASes and RPKI ROA tracking

Cloudflare Radar introduced two new routing widgets: a 'Top ASes by announced IP space' chart on country pages and an RPKI ROA deployment timeseries widget. Both provide deeper visibility into BGP ann…

Cloudflare adds Terraform support for Pipelines and R2 Data Catalog

Cloudflare now supports managing Pipelines and R2 Data Catalog via Terraform with provider v5.19.0. Four new resources enable infrastructure-as-code for data ingestion, transformation, and storage wor…

Cloudflare introduces Data Classification for DLP to standardize sensitive data labeling

Cloudflare added Data Classification to its DLP suite, enabling reusable labels, templates, and data classes to organize and label sensitive content before enforcement. This allows administrators to s…

Cloudflare One expands predefined DLP detection entries with 60+ new patterns

Cloudflare One added over 60 new predefined detection entries to its Data Loss Prevention (DLP) system, covering sensitive identifiers across 30+ countries, cryptocurrency wallets, and API tokens. The…

Code Orange: Fail Small is complete. The result is a stronger Cloudflare network

Cloudflare finished the 'Code Orange: Fail Small' initiative to prevent future outages like those in November and December 2025. Key changes include safer configuration deployments via Snapstone, redu…

Cloudflare One DLP adds regex, EDM, CWL, document, and AI prompt detections

Cloudflare One expanded its DLP detection entries with six new types: pattern entries (Rust regex), Exact Data Match datasets, Custom Wordlist datasets, document entries, and AI prompt topics. Each ty…

Cloudflare introduces Dynamic Workers for on-demand code execution

Cloudflare launched Dynamic Workers, enabling unlimited runtime-spun Workers for executing arbitrary code in secure sandboxes. This allows AI agents to write and run code directly, reducing inference …

Cloudflare launches Dynamic Workflows for per-tenant durable execution

Cloudflare introduced Dynamic Workflows, enabling per-tenant or per-user durable execution by combining Workflows with Dynamic Workers. Each workflow step survives failures, sleeps, or waits for event…

Cloudflare introduces dynamic workflows for per-tenant durable execution

Cloudflare launched dynamic workflows, enabling per-tenant or per-user durable execution by combining Workflows with Dynamic Workers. Each workflow step survives failures, sleeps, or isolate recycling…

Introducing Dynamic Workflows: durable execution that follows the tenant

Cloudflare introduced Dynamic Workflows, enabling platforms to dynamically deploy tenant-specific durable workflows without pre-binding workflow code. This extends their Dynamic Workers model to durab…

Cloudflare enables Workflows inside Dynamic Workers with new library

Cloudflare introduced the @cloudflare/dynamic-workflows library, allowing Workflows to run inside Dynamic Workers for durable, multi-step logic loaded at runtime. This solves durability challenges by …