---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Feb 25, 2026
1. ### [Write structured queries to filter and search your Workers logs and traces](https://developers.cloudflare.com/changelog/post/2026-02-24-observability-query-language/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
[Workers Observability](https://developers.cloudflare.com/workers/observability/) now includes a query language that lets you write structured queries directly in the search bar to filter your logs and traces. The search bar doubles as a free text search box — type any term to search across all metadata and attributes, or write field-level queries for precise filtering.  
![Workers Observability search bar with autocomplete suggestions and Query Builder sidebar filters](https://developers.cloudflare.com/_astro/2026-02-24-query-language.Ol8UX7m0_ZqdMnt.webp)  
Queries written in the search bar sync with the [Query Builder](https://developers.cloudflare.com/workers/observability/) sidebar, so you can write a query by hand and then refine it visually, or build filters in the Query Builder and see the corresponding query syntax. The search bar provides autocomplete suggestions for metadata fields and operators as you type.  
The query language supports:

  * **Free text search** — search everywhere with a keyword like `error`, or match an exact phrase with `"exact phrase"`
  * **Field queries** — filter by specific fields using comparison operators (for example, `status = 500` or `$workers.wallTimeMs > 100`)
  * **Operators** — `=`, `!=`, `>`, `>=`, `<`, `<=`, and `:` (contains)
  * **Functions** — `contains(field, value)`, `startsWith(field, prefix)`, `regex(field, pattern)`, and `exists(field)`
  * **Boolean logic** — add conditions with `AND`, `OR`, and `NOT`  
Select the help icon next to the search bar to view the full syntax reference, including all supported operators, functions, and keyboard shortcuts.  
Go to the [Workers Observability dashboard ↗](https://dash.cloudflare.com/?to=/:account/workers-and-pages/observability/) to try the query language.

Feb 25, 2026
1. ### [No config? No problem. Just \`wrangler deploy\`](https://developers.cloudflare.com/changelog/post/2026-02-25-wrangler-autoconfig-ga/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now deploy any existing project to Cloudflare Workers — even without a Wrangler configuration file — and `wrangler deploy` will _just work_.  
Starting with Wrangler **4.68.0**, running [wrangler deploy](https://developers.cloudflare.com/workers/wrangler/commands/general/#deploy) [automatically configures your project](https://developers.cloudflare.com/workers/framework-guides/automatic-configuration/) by detecting your framework, installing required adapters, and deploying it to Cloudflare Workers.  
#### Using Wrangler locally  
```sh  
npx wrangler deploy  
```  
When you run `wrangler deploy` in a project without a configuration file, Wrangler:

  1. Detects your framework from `package.json`
  2. Prompts you to confirm the detected settings
  3. Installs any required adapters
  4. Generates a `wrangler.jsonc` [configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/)
  5. Deploys your project to Cloudflare Workers  
You can also use [wrangler setup](https://developers.cloudflare.com/workers/wrangler/commands/general/#setup) to configure without deploying, or pass [\--yes](https://developers.cloudflare.com/workers/wrangler/commands/general/#deploy) to skip prompts.  
#### Using the Cloudflare dashboard  
![Automatic configuration pull request created by Workers Builds](https://developers.cloudflare.com/_astro/automatic-pr.CwJG6Bec_1cC506.webp)  
When you connect a repository through the [Workers dashboard ↗](https://dash.cloudflare.com/?to=/:account/workers-and-pages/create), a [pull request is generated](https://developers.cloudflare.com/workers/ci-cd/builds/automatic-prs/) for you with all necessary files, and a [preview deployment](https://developers.cloudflare.com/workers/configuration/previews/) to check before merging.  
Note  
A pull request is only generated when your deploy command is `npx wrangler deploy`. If you use a custom deploy command, automatic configuration still runs but a PR is not created.  
#### Background  
In December 2025, we [introduced automatic configuration](https://developers.cloudflare.com/changelog/2025-12-16-wrangler-autoconfig/) as an experimental feature. It is now generally available and the default behavior.  
If you have questions or run into issues, join the [GitHub discussion ↗](https://github.com/cloudflare/workers-sdk/discussions/11667).

Feb 24, 2026
1. ### [WARP client for Windows (version 2026.1.150.0)](https://developers.cloudflare.com/changelog/post/2026-02-24-warp-windows-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains minor fixes, improvements, and new features.

**Changes and improvements**

  * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost.
  * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/).
  * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`.
  * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in.
  * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
  * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
  * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode.
  * Improved service shutdown behavior in cases where the daemon is unresponsive.

**Known issues**

  * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution.
  * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later.
  * DNS resolution may be broken when the following conditions are all true:

    * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    * A custom DNS server address is configured on the primary network adapter.
    * The custom DNS server address on the primary network adapter is changed while WARP is connected.  
  To work around this issue, reconnect the WARP client by toggling off and back on.

Feb 24, 2026
1. ### [WARP client for macOS (version 2026.1.150.0)](https://developers.cloudflare.com/changelog/post/2026-02-24-warp-macos-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains minor fixes and improvements.

**Changes and improvements**

  * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`.
  * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
  * Fixed an issue with DNS server configuration failures that caused tunnel connection delays.
  * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
  * Fixed an issue causing DNS requests to fail with clients in Traffic and DNS mode.

Feb 24, 2026
1. ### [WARP client for Linux (version 2026.1.150.0)](https://developers.cloudflare.com/changelog/post/2026-02-24-warp-linux-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains minor fixes and improvements.  
WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com).

**Changes and improvements**

  * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`.
  * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.
  * Fixed an issue where misconfigured DEX HTTP tests prevented new registrations.
  * Fixed issues causing DNS requests to fail with clients in Traffic and DNS mode or DNS only mode.

Feb 24, 2026
1. ### [deleteAll() now deletes Durable Object alarm](https://developers.cloudflare.com/changelog/post/2026-02-24-deleteall-deletes-alarms/)  
[ Durable Objects ](https://developers.cloudflare.com/durable-objects/)[ Workers ](https://developers.cloudflare.com/workers/)  
`deleteAll()` now deletes a Durable Object alarm in addition to stored data for Workers with a compatibility date of `2026-02-24` or later. This change simplifies clearing a Durable Object's storage with a single API call.  
Previously, `deleteAll()` only deleted user-stored data for an object. Alarm usage stores metadata in an object's storage, which required a separate `deleteAlarm()` call to fully clean up all storage for an object. The `deleteAll()` change applies to both KV-backed and SQLite-backed Durable Objects.

**JavaScript**  
```js  
// Before: two API calls required to clear all storage  
await this.ctx.storage.deleteAlarm();  
await this.ctx.storage.deleteAll();  
// Now: a single call clears both data and the alarm  
await this.ctx.storage.deleteAll();  
```  
For more information, refer to the [Storage API documentation](https://developers.cloudflare.com/durable-objects/api/sqlite-storage-api/#deleteall).

Feb 24, 2026
1. ### [Dropped event metrics, typed Pipelines bindings, and improved setup](https://developers.cloudflare.com/changelog/post/2026-02-24-typed-bindings-setup-improvements-error-metrics/)  
[ Pipelines ](https://developers.cloudflare.com/pipelines/)[ Workers ](https://developers.cloudflare.com/workers/)  
[Cloudflare Pipelines](https://developers.cloudflare.com/pipelines/) ingests streaming data via [Workers](https://developers.cloudflare.com/workers/) or HTTP endpoints, transforms it with SQL, and writes it to [R2](https://developers.cloudflare.com/r2/) as Apache Iceberg tables. Today we're shipping three improvements to help you understand why streaming events get dropped, catch data quality issues early, and set up Pipelines faster.  
#### Dropped event metrics  
When [stream](https://developers.cloudflare.com/pipelines/streams/) events don't match the expected schema, Pipelines accepts them during ingestion but drops them when attempting to deliver them to the [sink](https://developers.cloudflare.com/pipelines/sinks/). To help you identify the root cause of these issues, we are introducing a new dashboard and metrics that surface dropped events with detailed error messages.  
![The Errors tab in the Cloudflare dashboard showing deserialization errors grouped by type with individual error details](https://developers.cloudflare.com/_astro/pipelines-error-log-dash.6JIa7r5d_Z1ILPxd.webp)  
Dropped events can also be queried programmatically via the new `pipelinesUserErrorsAdaptiveGroups` GraphQL dataset. The dataset breaks down failures by specific error type (`missing_field`, `type_mismatch`, `parse_failure`, or `null_value`) so you can trace issues back to the source.  
```graphql  
query GetPipelineUserErrors(  
  $accountTag: String!  
  $pipelineId: String!  
  $datetimeStart: Time!  
  $datetimeEnd: Time!  
) {  
  viewer {  
    accounts(filter: { accountTag: $accountTag }) {  
      pipelinesUserErrorsAdaptiveGroups(  
        limit: 100  
        filter: {  
          pipelineId: $pipelineId  
          datetime_geq: $datetimeStart  
          datetime_leq: $datetimeEnd  
        }  
        orderBy: [count_DESC]  
      ) {  
        count  
        dimensions {  
          errorFamily  
          errorType  
        }  
      }  
    }  
  }  
}  
```  
For the full list of dimensions, error types, and additional query examples, refer to [User error metrics](https://developers.cloudflare.com/pipelines/observability/metrics/#user-error-metrics).  
#### Typed Pipelines bindings  
Sending data to a Pipeline from a Worker previously used a generic `Pipeline<PipelineRecord>` type, which meant schema mismatches (wrong field names, incorrect types) were only caught at runtime as dropped events.  
Running `wrangler types` now generates schema-specific TypeScript types for your [Pipeline bindings](https://developers.cloudflare.com/pipelines/streams/writing-to-streams/#send-via-workers). TypeScript catches missing required fields and incorrect field types at compile time, before your code is deployed.

**TypeScript**  
```ts  
declare namespace Cloudflare {  
  type EcommerceStreamRecord = {  
    user_id: string;  
    event_type: string;  
    product_id?: string;  
    amount?: number;  
  };  
  interface Env {  
    STREAM: import("cloudflare:pipelines").Pipeline<Cloudflare.EcommerceStreamRecord>;  
  }  
}  
```  
For more information, refer to [Typed Pipeline bindings](https://developers.cloudflare.com/pipelines/streams/writing-to-streams/#typed-pipeline-bindings).  
#### Improved Pipelines setup  
Setting up a new Pipeline previously required multiple manual steps: creating an R2 bucket, enabling R2 Data Catalog, generating an API token, and configuring format, compression, and rolling policies individually.  
The `wrangler pipelines setup` command now offers a **Simple** setup mode that applies recommended defaults and automatically creates the [R2 bucket](https://developers.cloudflare.com/r2/buckets/) and enables [R2 Data Catalog](https://developers.cloudflare.com/r2/data-catalog/) if they do not already exist. Validation errors during setup prompt you to retry inline rather than restarting the entire process.  
For a full walkthrough, refer to the [Getting started guide](https://developers.cloudflare.com/pipelines/getting-started/).

Feb 24, 2026
1. ### [Stream live inputs can now be disabled and enabled](https://developers.cloudflare.com/changelog/post/2026-02-24-disable-live-inputs/)  
[ Stream ](https://developers.cloudflare.com/stream/)  
You can now disable a live input to reject incoming RTMPS and SRT connections. When a live input is disabled, any broadcast attempts will fail to connect.  
This gives you more control over your live inputs:

  * Temporarily pause an input without deleting it
  * Programmatically end creator broadcasts
  * Prevent new broadcasts from starting on a specific input  
To disable a live input via the API, set the `enabled` property to `false`:  
```bash  
curl --request PUT \  
https://api.cloudflare.com/client/v4/accounts/{account_id}/stream/live_inputs/{input_id} \
--header "Authorization: Bearer <API_TOKEN>" \
--data '{"enabled": false}'  
```  
You can also disable or enable a live input from the **Live inputs** list page or the live input detail page in the Dashboard.  
All existing live inputs remain enabled by default. For more information, refer to [Start a live stream](https://developers.cloudflare.com/stream/stream-live/start-stream-live/).

Feb 23, 2026
1. ### [Backup and restore API for Sandbox SDK](https://developers.cloudflare.com/changelog/post/2026-02-23-sandbox-backup-restore-api/)  
[ Agents ](https://developers.cloudflare.com/agents/)[ R2 ](https://developers.cloudflare.com/r2/)[ Containers ](https://developers.cloudflare.com/containers/)  
[Sandboxes](https://developers.cloudflare.com/sandbox/) now support `createBackup()` and `restoreBackup()` methods for creating and restoring point-in-time snapshots of directories.  
This allows you to restore environments quickly. For instance, in order to develop in a sandbox, you may need to include a user's codebase and run a build step. Unfortunately `git clone` and `npm install` can take minutes, and you don't want to run these steps every time the user starts their sandbox.  
Now, after the initial setup, you can just call `createBackup()`, then `restoreBackup()` the next time this environment is needed. This makes it practical to pick up exactly where a user left off, even after days of inactivity, without repeating expensive setup steps.

**TypeScript**  
```ts  
const sandbox = getSandbox(env.Sandbox, "my-sandbox");  
// Make non-trivial changes to the file system  
await sandbox.gitCheckout(endUserRepo, { targetDir: "/workspace" });  
await sandbox.exec("npm install", { cwd: "/workspace" });  
// Create a point-in-time backup of the directory  
const backup = await sandbox.createBackup({ dir: "/workspace" });  
// Store the handle for later use  
await env.KV.put(`backup:${userId}`, JSON.stringify(backup));  
// ... in a future session...  
// Restore instead of re-cloning and reinstalling  
await sandbox.restoreBackup(backup);  
```  
Backups are stored in [R2](https://developers.cloudflare.com/r2) and can take advantage of [R2 object lifecycle rules](https://developers.cloudflare.com/sandbox/guides/backup-restore/#configure-r2-lifecycle-rules-for-automatic-cleanup) to ensure they do not persist forever.  
Key capabilities:

  * **Persist and reuse across sandbox sessions** — Easily store backup handles in KV, D1, or Durable Object storage for use in subsequent sessions
  * **Usable across multiple instances** — Fork a backup across many sandboxes for parallel work
  * **Named backups** — Provide optional human-readable labels for easier management
  * **TTLs** — Set time-to-live durations so backups are automatically removed from storage once they are no longer needed  
Note  
Backup and restore currently uses a FUSE overlay. Soon, native snapshotting at a lower level will be added to Containers and Sandboxes, improving speed and ergonomics. The current backup functionality provides a significant speed improvement over manually recreating a file system, but it will be further optimized in the future. The new snapshotting system will use a similar API, so changing to this system will be simple once it is available.  
To get started, refer to the [backup and restore guide](https://developers.cloudflare.com/sandbox/guides/backup-restore/) for setup instructions and usage patterns, or the [Backups API reference](https://developers.cloudflare.com/sandbox/api/backups/) for full method documentation.

Feb 23, 2026
1. ### [Hyperdrive no longer caches queries using STABLE PostgreSQL functions](https://developers.cloudflare.com/changelog/post/2026-02-23-hyperdrive-stable-functions-uncacheable/)  
[ Hyperdrive ](https://developers.cloudflare.com/hyperdrive/)  
Hyperdrive now treats queries containing PostgreSQL `STABLE` functions as uncacheable, in addition to `VOLATILE` functions.  
Previously, only functions [that PostgreSQL categorizes ↗](https://www.postgresql.org/docs/current/xfunc-volatility.html) as `VOLATILE` (for example, `RANDOM()`, `LASTVAL()`) were detected as uncacheable. `STABLE` functions (for example, `NOW()`, `CURRENT_TIMESTAMP`, `CURRENT_DATE`) were incorrectly allowed to be cached.  
Because `STABLE` functions can return different results across different SQL statements within the same transaction, caching their results could serve stale or incorrect data. This change aligns Hyperdrive's caching behavior with PostgreSQL's function volatility semantics.  
If your queries use `STABLE` functions, and you were relying on them being cached, move the function call to your application code and pass the result as a query parameter. For example, instead of `WHERE created_at > NOW()`, compute the timestamp in your Worker and pass it as `WHERE created_at > $1`.  
Hyperdrive uses text-based pattern matching to detect uncacheable functions. References to function names like `NOW()` in SQL comments also cause the query to be marked as uncacheable.  
For more information, refer to [Query caching](https://developers.cloudflare.com/hyperdrive/concepts/query-caching/) and [Troubleshoot and debug](https://developers.cloudflare.com/hyperdrive/observability/troubleshooting/).

Feb 23, 2026
1. ### [Saved views for Threat Events](https://developers.cloudflare.com/changelog/post/2026-02-23-saved-views-in-threat-events/)  
[ Security Center ](https://developers.cloudflare.com/security-center/)  

**TL;DR:** You can now create and save custom configurations of the Threat Events dashboard, allowing you to instantly return to specific filtered views — such as industry-specific attacks or regional Sankey flows — without manual reconfiguration.  
#### Why this matters  
Threat intelligence is most effective when it is personalized. Previously, analysts had to manually re-apply complex filters (like combining specific industry datasets with geographic origins) every time they logged in. This update provides material value by:

  * Analysts can now jump straight into "Known Ransomware Infrastructure" or "Retail Sector Targets" views with a single click, eliminating repetitive setup tasks
  * Teams can ensure everyone is looking at the same data subsets by using standardized saved views, reducing the risk of missing critical patterns due to inconsistent filtering.  
Cloudforce One subscribers can start saving their custom views now in [Application Security > Threat Intelligence > Threat Events ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/threat-events).

Feb 20, 2026
1. ### [@cloudflare/codemode v0.1.0: a new runtime agnostic modular architecture](https://developers.cloudflare.com/changelog/post/2026-02-20-codemode-sdk-rewrite/)  
[ Agents ](https://developers.cloudflare.com/agents/)[ Workers ](https://developers.cloudflare.com/workers/)  
The [@cloudflare/codemode ↗](https://www.npmjs.com/package/@cloudflare/codemode) package has been rewritten into a modular, runtime-agnostic SDK.  
[Code Mode ↗](https://blog.cloudflare.com/code-mode/) enables LLMs to write and execute code that orchestrates your tools, instead of calling them one at a time. This can (and does) yield significant token savings, reduces context window pressure and improves overall model performance on a task.  
The new `Executor` interface is runtime agnostic and comes with a prebuilt `DynamicWorkerExecutor` to run generated code in a [Dynamic Worker Loader](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/).  
#### Breaking changes

  * Removed `experimental_codemode()` and `CodeModeProxy` — the package no longer owns an LLM call or model choice
  * New import path: `createCodeTool()` is now exported from `@cloudflare/codemode/ai`  
#### New features

  * **`createCodeTool()`** — Returns a standard AI SDK `Tool` to use in your AI agents.
  * **`Executor` interface** — Minimal `execute(code, fns)` contract. Implement for any code sandboxing primitive or runtime.  
#### `DynamicWorkerExecutor`  
Runs code in a [Dynamic Worker](https://developers.cloudflare.com/workers/runtime-apis/bindings/worker-loader/). It comes with the following features:

  * **Network isolation** — `fetch()` and `connect()` blocked by default (`globalOutbound: null`) when using `DynamicWorkerExecutor`
  * **Console capture** — `console.log/warn/error` captured and returned in `ExecuteResult.logs`
  * **Execution timeout** — Configurable via `timeout` option (default 30s)  
#### Usage

  * [  JavaScript ](#tab-panel-4811)
  * [  TypeScript ](#tab-panel-4812)

**JavaScript**  
```js  
import { createCodeTool } from "@cloudflare/codemode/ai";  
import { DynamicWorkerExecutor } from "@cloudflare/codemode";  
import { streamText } from "ai";  
const executor = new DynamicWorkerExecutor({ loader: env.LOADER });  
const codemode = createCodeTool({ tools: myTools, executor });  
const result = streamText({  
  model,  
  tools: { codemode },  
  messages,  
});  
```

**TypeScript**  
```ts  
import { createCodeTool } from "@cloudflare/codemode/ai";  
import { DynamicWorkerExecutor } from "@cloudflare/codemode";  
import { streamText } from "ai";  
const executor = new DynamicWorkerExecutor({ loader: env.LOADER });  
const codemode = createCodeTool({ tools: myTools, executor });  
const result = streamText({  
  model,  
  tools: { codemode },  
  messages,  
});  
```  
#### Wrangler configuration

  * [  wrangler.jsonc ](#tab-panel-4807)
  * [  wrangler.toml ](#tab-panel-4808)

**JSONC**  
```jsonc  
{  
  "worker_loaders": [{ "binding": "LOADER" }],  
}  
```

**TOML**  
```toml  
[[worker_loaders]]  
binding = "LOADER"  
```  
See the [Code Mode documentation](https://developers.cloudflare.com/agents/tools/codemode/) for full API reference and examples.  
#### Upgrade  
```sh  
npm i @cloudflare/codemode@latest  
```

Feb 20, 2026
1. ### [Understand CASB findings instantly with Cloudy Summaries](https://developers.cloudflare.com/changelog/post/2026-02-20-cloudy-in-casb/)  
[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)  
You can now easily understand your SaaS security posture findings and why they were detected with **Cloudy Summaries in CASB**. This feature integrates Cloudflare's Cloudy AI directly into your CASB Posture Findings to automatically generate clear, plain-language summaries of complex security misconfigurations, third-party app risks, and data exposures.  
This allows security teams and IT administrators to drastically reduce triage time by immediately understanding the context, potential impact, and necessary remediation steps for any given finding—without needing to be an expert in every connected SaaS application.  
To view a summary, simply navigate to your Posture Findings in the Cloudflare One dashboard (under **Cloud and SaaS findings**) and open the finding details of a specific instance of a Finding.  
Cloudy Summaries are supported on all available integrations, including Microsoft 365, Google Workspace, Salesforce, GitHub, AWS, Slack, and Dropbox. See the full list of supported integrations [here](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/).  
#### Key capabilities

  * **Contextual explanations** — Quickly understand the specifics of a finding with plain-language summaries detailing exactly what was detected, from publicly shared sensitive files to risky third-party app scopes.
  * **Clear risk assessment** — Instantly grasp the potential security impact of the finding, such as data breach risks, unauthorized account access, or email spoofing vulnerabilities.
  * **Actionable guidance** — Get clear recommendations and next steps on how to effectively remediate the issue and secure your environment.
  * **Built-in feedback** — Help improve future AI summarization accuracy by submitting feedback directly using the thumbs-up and thumbs-down buttons.  
#### Learn more

  * Learn more about managing [CASB Posture Findings](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/) in Cloudflare.  
Cloudy Summaries in CASB are available to all Cloudflare CASB users today.

Feb 20, 2026
1. ### [Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard](https://developers.cloudflare.com/changelog/post/2026-02-20-tunnel-core-dashboard/)  
[ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/)  
[Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) is now available in the main Cloudflare Dashboard at [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels), bringing first-class Tunnel management to developers using Tunnel for securing origin servers.  
![Manage Tunnels in the Core Dashboard](https://developers.cloudflare.com/_astro/tunnel-core-dashboard.BGPqaHfo_Pi6HO.webp)  
This new experience provides everything you need to manage Tunnels for [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), including:

  * **Full Tunnel lifecycle management**: Create, configure, delete, and monitor all your Tunnels in one place.
  * **Native integrations**: View Tunnels by name when configuring [DNS records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/create-dns-records/) and [Workers VPC](https://developers.cloudflare.com/workers-vpc/) — no more copy-pasting UUIDs.
  * **Real-time visibility**: Monitor [replicas](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-availability/) and Tunnel [health status](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/#tunnel-status) directly in the dashboard.
  * **Routing map**: Manage all ingress routes for your Tunnel, including [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/), [private hostnames](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/), [private CIDRs](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/), and [Workers VPC services](https://developers.cloudflare.com/workers-vpc/), from a single interactive interface.  
#### Choose the right dashboard for your use case

**Core Dashboard**: Navigate to [Networking > Tunnels ↗](https://dash.cloudflare.com/?to=/:account/tunnels) to manage Tunnels for:

  * Securing origin servers and [public applications](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) with CDN, WAF, Load Balancing, and DDoS protection
  * Connecting [Workers to private services](https://developers.cloudflare.com/workers-vpc/) via Workers VPC

**Cloudflare One Dashboard**: Navigate to [Zero Trust > Networks > Connectors ↗](https://one.dash.cloudflare.com/?to=/:account/networks/connectors) to manage Tunnels for:

  * Securing your public applications with [Zero Trust access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/)
  * Connecting users to [private applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/)
  * Building a [private mesh network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks)  
Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow.  
#### Get started  
New to Tunnel? Learn how to [get started with Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) or explore advanced use cases like [securing SSH servers](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/) or [running Tunnels in Kubernetes](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes/).

Feb 19, 2026
1. ### [AI dashboard experience improvements](https://developers.cloudflare.com/changelog/post/2026-02-19-ai-dashboard-experience-improvements/)  
[ AI Gateway ](https://developers.cloudflare.com/ai-gateway/)[ Workers AI ](https://developers.cloudflare.com/workers-ai/)  
[Workers AI](https://developers.cloudflare.com/workers-ai/) and [AI Gateway](https://developers.cloudflare.com/ai-gateway/) have received a series of dashboard improvements to help you get started faster and manage your AI workloads more easily.

**Navigation and discoverability**  
AI now has its own top-level section in the Cloudflare dashboard sidebar, so you can find AI features without digging through menus.  
![AI sidebar navigation in the Cloudflare dashboard](https://developers.cloudflare.com/_astro/sidebar-navigation.BQNFBmAk_1GqV9H.webp)  

**Onboarding and getting started**  
[Getting started](https://developers.cloudflare.com/ai-gateway/get-started/) with AI Gateway is now simpler. When you create your first gateway, we now show your gateway's OpenAI-compatible endpoint and step-by-step guidance to help you configure it. The Playground also includes helpful prompts, and usage pages have clear next steps if you have not made any requests yet.  
![AI Gateway onboarding flow](https://developers.cloudflare.com/_astro/onboarding-flow.DZ7aMcHa_Z2hyg1I.webp)  
We've also combined the previously separate code example sections into one view with dropdown selectors for API type, provider, SDK, and authentication method so you can now customize the exact code snippet you need from one place.

**Dynamic Routing**

  * The [route builder](https://developers.cloudflare.com/ai-gateway/features/dynamic-routing/) is now more performant and responsive.
  * You can now copy route names to your clipboard with a single click.
  * Code examples use the [Universal Endpoint](https://developers.cloudflare.com/ai-gateway/usage/universal/) format, making it easier to integrate routes into your application.

**Observability and analytics**

  * Small monetary values now display correctly in [cost analytics](https://developers.cloudflare.com/ai-gateway/observability/costs/) charts, so you can accurately track spending at any scale.

**Accessibility**

  * Improvements to keyboard navigation within the AI Gateway, specifically when exploring usage by [provider](https://developers.cloudflare.com/ai-gateway/usage/providers/).
  * Improvements to sorting and filtering components on the [Workers AI](https://developers.cloudflare.com/workers-ai/models/) models page.  
For more information, refer to the [AI Gateway documentation](https://developers.cloudflare.com/ai-gateway/).

Feb 19, 2026
1. ### [DEX Supports EU Customer Metadata Boundary](https://developers.cloudflare.com/changelog/post/2026-02-19-dex-supports-cmb-eu/)  
[ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/)  
[Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into [WARP](https://developers.cloudflare.com/warp-client/) device connectivity and performance to any internal or external application.  
Now, all DEX logs are fully compatible with Cloudflare's [Customer Metadata Boundary](https://developers.cloudflare.com/data-localization/metadata-boundary/) (CMB) setting for the 'EU' (European Union), which ensures that DEX logs will not be stored outside the 'EU' when the option is configured.  
If a Cloudflare One customer using DEX enables CMB 'EU', they will not see any DEX data in the Cloudflare One dashboard. Customers can ingest DEX data via [LogPush](https://developers.cloudflare.com/logs/logpush/), and build their own analytics and dashboards.  
If a customer enables CMB in their account, they will see the following message in the Digital Experience dashboard: "DEX data is unavailable because Customer Metadata Boundary configuration is on. Use Cloudflare LogPush to export DEX datasets."  
![Digital Experience Monitoring message when Customer Metadata Boundary for the EU is enabled](https://developers.cloudflare.com/_astro/dex_supports_cmb.6YOLXjHN_ZJh3uv.webp)

Feb 19, 2026
1. ### [Cloudforce One Threat events graphs are now visible in the dashboard](https://developers.cloudflare.com/changelog/post/2026-02-19-threat-events-graphs/)  
[ Security Center ](https://developers.cloudflare.com/security-center/)  
We have introduced dynamic visualizations to the Threat Events dashboard to help you better understand the threat landscape and identify emerging patterns at a glance.  
What's new:

  * **Sankey Diagrams**: Trace the flow of attacks from country of origin to target country to identify which regions are being hit hardest and where the threat infrastructure resides.  
![Sankey Diagram](https://developers.cloudflare.com/_astro/2026-02-19-sankey-diagram.VZMSmdZL_Z1dxq3E.webp)  
  * **Dataset Distribution over time**: Instantly pivot your view to understand if a specific campaign is targeting your sector or if it is a broad-spectrum commodity attack.  
![Events over time](https://developers.cloudflare.com/_astro/2026-02-19-events-over-time.CqD7VKqA_Z20JNi0.webp)  
  * **Enhanced Filtering**: Use these visual tools to filter and drill down into specific attack vectors directly from the charts.  
Cloudforce One subscribers can explore these new views now in [Application Security > Threat Intelligence > Threat Events ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/threat-events).

Feb 18, 2026
1. ### [New cfWorker metric in Server-Timing header](https://developers.cloudflare.com/changelog/post/2026-02-18-cfworker-server-timing/)  
[ Analytics ](https://developers.cloudflare.com/analytics/)  
The Server-Timing header now includes a new `cfWorker` metric that measures time spent executing Cloudflare Workers, including any subrequests performed by the Worker. This helps developers accurately identify whether high Time to First Byte (TTFB) is caused by Worker processing or slow upstream dependencies.  
Previously, Worker execution time was included in the `edge` metric, making it harder to identify true edge performance. The new `cfWorker` metric provides this visibility:

| Metric   | Description                                                                           |
| -------- | ------------------------------------------------------------------------------------- |
| edge     | Total time spent on the Cloudflare edge, including Worker execution                   |
| origin   | Time spent fetching from the origin server                                            |
| cfWorker | Time spent in Worker execution, including subrequests but excluding origin fetch time |  
#### Example response  
```txt  
Server-Timing: cdn-cache; desc=DYNAMIC, edge; dur=20, origin; dur=100, cfWorker; dur=7  
```  
In this example, the edge took 20ms, the origin took 100ms, and the Worker added just 7ms of processing time.  
#### Availability  
The `cfWorker` metric is enabled by default if you have [Real User Monitoring (RUM)](https://developers.cloudflare.com/web-analytics/) enabled. Otherwise, you can enable it using [Rules](https://developers.cloudflare.com/rules/).  
This metric is particularly useful for:

  * **Performance debugging**: Quickly determine if latency is caused by Worker code, external API calls within Workers, or slow origins.
  * **Optimization targeting**: Identify which component of your request path needs optimization.
  * **Real User Monitoring (RUM)**: Access detailed timing breakdowns directly from response headers for client-side analytics.  
For more information about Server-Timing headers, refer to the [W3C Server Timing specification ↗](https://www.w3.org/TR/server-timing/).

Feb 17, 2026
1. ### [Streamlined clientless browser isolation for private applications](https://developers.cloudflare.com/changelog/post/2026-02-17-clientless-access-for-private-apps/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
A new **Allow clientless access** setting makes it easier to connect users without a device client to internal applications, without using public DNS.  
![Allow clientless access setting in the Cloudflare One dashboard](https://developers.cloudflare.com/_astro/allow-clientless-access.BHKwQuVt_1mLRiX.webp)  
Previously, to provide clientless access to a private hostname or IP without a [published application](https://developers.cloudflare.com/cloudflare-one/networks/routes/add-routes/#add-a-published-application-route), you had to create a separate [bookmark application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/) pointing to a prefixed [Clientless Web Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) URL (for example, `https://<your-teamname>.cloudflareaccess.com/browser/https://10.0.0.1/`). This bookmark was visible to all users in the App Launcher, regardless of whether they had access to the underlying application.  
Now, you can manage clientless access directly within your [private self-hosted application](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/). When **Allow clientless access** is turned on, users who pass your Access application policies will see a tile in their App Launcher pointing to the prefixed URL. Users must have [remote browser permissions](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) to open the link.

Feb 17, 2026
1. ### [Policies for bookmark applications](https://developers.cloudflare.com/changelog/post/2026-02-17-policies-for-bookmarks/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
You can now assign [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) to [bookmark applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/). This lets you control which users see a bookmark in the [App Launcher](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/app-launcher/) based on identity, device posture, and other policy rules.  
Previously, bookmark applications were visible to all users in your organization. With policy support, you can now:

  * **Tailor the App Launcher to each user** — Users only see the applications they have access to, reducing clutter and preventing accidental clicks on irrelevant resources.
  * **Restrict visibility of sensitive bookmarks** — Limit who can view bookmarks to internal tools or partner resources based on group membership, identity provider, or device posture.  
Bookmarks support all [Access policy configurations](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) except purpose justification, temporary authentication, and application isolation. If no policy is assigned, the bookmark remains visible to all users (maintaining backwards compatibility).  
For more information, refer to [Add bookmarks](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/bookmarks/).

Feb 17, 2026
1. ### [Agents SDK v0.5.0: Protocol message control, retry utilities, data parts, and @cloudflare/ai-chat v0.1.0](https://developers.cloudflare.com/changelog/post/2026-02-17-agents-sdk-v050/)  
[ Agents ](https://developers.cloudflare.com/agents/)[ Workers ](https://developers.cloudflare.com/workers/)  
The latest release of the [Agents SDK ↗](https://github.com/cloudflare/agents) adds built-in retry utilities, per-connection protocol message control, and a fully rewritten `@cloudflare/ai-chat` with data parts, tool approval persistence, and zero breaking changes.  
#### Retry utilities  
A new `this.retry()` method lets you retry any async operation with exponential backoff and jitter. You can pass an optional `shouldRetry` predicate to bail early on non-retryable errors.

  * [  JavaScript ](#tab-panel-4809)
  * [  TypeScript ](#tab-panel-4810)

**JavaScript**  
```js  
class MyAgent extends Agent {  
  async onRequest(request) {  
    const data = await this.retry(() => callUnreliableService(), {  
      maxAttempts: 4,  
      shouldRetry: (err) => !(err instanceof PermanentError),  
    });  
    return Response.json(data);  
  }  
}  
```

**TypeScript**  
```ts  
class MyAgent extends Agent {  
  async onRequest(request: Request) {  
    const data = await this.retry(() => callUnreliableService(), {  
      maxAttempts: 4,  
      shouldRetry: (err) => !(err instanceof PermanentError),  
    });  
    return Response.json(data);  
  }  
}  
```  
Retry options are also available per-task on `queue()`, `schedule()`, `scheduleEvery()`, and `addMcpServer()`:

  * [  JavaScript ](#tab-panel-4815)
  * [  TypeScript ](#tab-panel-4816)

**JavaScript**  
```js  
// Per-task retry configuration, persisted in SQLite alongside the task  
await this.schedule(  
  Date.now() + 60_000,  
  "sendReport",  
  { userId: "abc" },  
  {  
    retry: { maxAttempts: 5 },  
  },  
);  
// Class-level retry defaults  
class MyAgent extends Agent {  
  static options = {  
    retry: { maxAttempts: 3 },  
  };  
}  
```

**TypeScript**  
```ts  
// Per-task retry configuration, persisted in SQLite alongside the task  
await this.schedule(Date.now() + 60_000, "sendReport", { userId: "abc" }, {  
  retry: { maxAttempts: 5 },  
});  
// Class-level retry defaults  
class MyAgent extends Agent {  
  static options = {  
    retry: { maxAttempts: 3 },  
  };  
}  
```  
Retry options are validated eagerly at enqueue/schedule time, and invalid values throw immediately. Internal retries have also been added for workflow operations (`terminateWorkflow`, `pauseWorkflow`, and others) with Durable Object-aware error detection.  
#### Per-connection protocol message control  
Agents automatically send JSON text frames (identity, state, MCP server lists) to every WebSocket connection. You can now suppress these per-connection for clients that cannot handle them — binary-only devices, MQTT clients, or lightweight embedded systems.

  * [  JavaScript ](#tab-panel-4813)
  * [  TypeScript ](#tab-panel-4814)

**JavaScript**  
```js  
class MyAgent extends Agent {  
  shouldSendProtocolMessages(connection, ctx) {  
    // Suppress protocol messages for MQTT clients  
    const subprotocol = ctx.request.headers.get("Sec-WebSocket-Protocol");  
    return subprotocol !== "mqtt";  
  }  
}  
```

**TypeScript**  
```ts  
class MyAgent extends Agent {  
  shouldSendProtocolMessages(connection: Connection, ctx: ConnectionContext) {  
    // Suppress protocol messages for MQTT clients  
    const subprotocol = ctx.request.headers.get("Sec-WebSocket-Protocol");  
    return subprotocol !== "mqtt";  
  }  
}  
```  
Connections with protocol messages disabled still fully participate in RPC and regular messaging. Use `isConnectionProtocolEnabled(connection)` to check a connection's status at any time. The flag persists across Durable Object hibernation.  
See [Protocol messages](https://developers.cloudflare.com/agents/runtime/communication/protocol-messages/) for full documentation.  
#### `@cloudflare/ai-chat` v0.1.0  
The first stable release of `@cloudflare/ai-chat` ships alongside this release with a major refactor of `AIChatAgent` internals — new `ResumableStream` class, WebSocket `ChatTransport`, and simplified SSE parsing — with zero breaking changes. Existing code using `AIChatAgent` and `useAgentChat` works as-is.  
Key new features:

  * **Data parts** — Attach typed JSON blobs (`data-*`) to messages alongside text. Supports reconciliation (type+id updates in-place), append, and transient parts (ephemeral via `onData` callback). See [Data parts](https://developers.cloudflare.com/agents/communication-channels/chat/chat-agents/#data-parts).
  * **Tool approval persistence** — The `needsApproval` approval UI now survives page refresh and DO hibernation. The streaming message is persisted to SQLite when a tool enters `approval-requested` state.
  * **`maxPersistedMessages`** — Cap SQLite message storage with automatic oldest-message deletion.
  * **`body` option on `useAgentChat`** — Send custom data with every request (static or dynamic).
  * **Incremental persistence** — Hash-based cache to skip redundant SQL writes.
  * **Row size guard** — Automatic two-pass compaction when messages approach the SQLite 2 MB limit.
  * **`autoContinueAfterToolResult` defaults to `true`** — Client-side tool results and tool approvals now automatically trigger a server continuation, matching server-executed tool behavior. Set `autoContinueAfterToolResult: false` in `useAgentChat` to restore the previous behavior.  
Notable bug fixes:

  * Resolved stream resumption race conditions
  * Resolved an issue where `setMessages` functional updater sent empty arrays
  * Resolved an issue where client tool schemas were lost after DO hibernation
  * Resolved `InvalidPromptError` after tool approval (`approval.id` was dropped)
  * Resolved an issue where message metadata was not propagated on broadcast/resume paths
  * Resolved an issue where `clearAll()` did not clear in-memory chunk buffers
  * Resolved an issue where `reasoning-delta` silently dropped data when `reasoning-start` was missed during stream resumption  
#### Synchronous queue and schedule getters  
`getQueue()`, `getQueues()`, `getSchedule()`, `dequeue()`, `dequeueAll()`, and `dequeueAllByCallback()` were unnecessarily `async` despite only performing synchronous SQL operations. They now return values directly instead of wrapping them in Promises. This is backward compatible — existing code using `await` on these methods will continue to work.  
#### Other improvements

  * **Fix TypeScript "excessively deep" error** — A depth counter on `CanSerialize` and `IsSerializableParam` types bails out to `true` after 10 levels of recursion, preventing the "Type instantiation is excessively deep" error with deeply nested types like AI SDK `CoreMessage[]`.
  * **POST SSE keepalive** — The POST SSE handler now sends `event: ping` every 30 seconds to keep the connection alive, matching the existing GET SSE handler behavior. This prevents POST response streams from being silently dropped by proxies during long-running tool calls.
  * **Widened peer dependency ranges** — Peer dependency ranges across packages have been widened to prevent cascading major bumps during 0.x minor releases. `@cloudflare/ai-chat` and `@cloudflare/codemode` are now marked as optional peer dependencies.  
#### Upgrade  
To update to the latest version:  
```sh  
npm i agents@latest @cloudflare/ai-chat@latest  
```

Feb 17, 2026
1. ### [Cloudflare One Product Name Updates](https://developers.cloudflare.com/changelog/post/2026-02-17-product-name-updates/)  
[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Cloudflare Network Firewall ](https://developers.cloudflare.com/cloudflare-network-firewall/)[ Network Flow ](https://developers.cloudflare.com/network-flow/)  
We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey.  
We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare.  
#### What's changing

  * **Magic WAN** → **Cloudflare WAN**
  * **Magic WAN IPsec** → **Cloudflare IPsec**
  * **Magic WAN GRE** → **Cloudflare GRE**
  * **Magic WAN Connector** → **Cloudflare One Appliance**
  * **Magic Firewall** → **Cloudflare Network Firewall**
  * **Magic Network Monitoring** → **Network Flow**
  * **Magic Cloud Networking** → **Cloudflare One Multi-cloud Networking**

**No action is required by you** — all functionality, existing configurations, and billing will remain exactly the same.  
For more information, visit the [Cloudflare One documentation](https://developers.cloudflare.com/cloudflare-one/).

Feb 17, 2026
1. ### [Docker-in-Docker support added to Containers and Sandboxes](https://developers.cloudflare.com/changelog/post/2026-02-17-docker-in-docker/)  
[ Containers ](https://developers.cloudflare.com/containers/)  
[Sandboxes](https://developers.cloudflare.com/sandbox/) and [Containers](https://developers.cloudflare.com/containers/) now support running Docker for "Docker-in-Docker" setups. This is particularly useful when your end users or [agents](https://developers.cloudflare.com/agents) want to run a full sandboxed development environment.  
This allows you to:

  * Develop containerized applications with your Sandbox
  * Run isolated test environments for images
  * Build container images as part of CI/CD workflows
  * Deploy arbitrary images supplied at runtime within a container  
For [Sandbox SDK](https://developers.cloudflare.com/sandbox/) users, see the [Docker-in-Docker guide](https://developers.cloudflare.com/sandbox/guides/docker-in-docker/) for instructions on combining Docker with the SandboxSDK. For general Containers usage, see the [Containers FAQ](https://developers.cloudflare.com/containers/faq/#can-i-run-docker-inside-a-container-docker-in-docker).

Feb 16, 2026
1. ### [Content encoding support for Markdown for Agents and other improvements](https://developers.cloudflare.com/changelog/post/2026-02-16-markdown-for-agents-improvements/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
When AI systems request pages from any website that uses Cloudflare and has [Markdown for Agents](https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/) enabled, they can express the preference for `text/markdown` in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.  
This release adds the following improvements:

  * The origin response limit was raised from 1 MB to 2 MB (2,097,152 bytes).
  * We no longer require the origin to send the `content-length` header.
  * We now support content encoded responses from the origin.  
If you haven’t enabled automatic Markdown conversion yet, visit the [AI Crawl Control ↗](https://dash.cloudflare.com/?to=/:account/:zone/ai) section of the Cloudflare dashboard and enable **Markdown for Agents**.  
Refer to our [developer documentation](https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/) for more details.

Feb 16, 2026
1. ### [WAF Release - 2026-02-16](https://developers.cloudflare.com/changelog/post/2026-02-16-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s release introduces new detections for CVE-2025-68645 and CVE-2025-31125.

**Key Findings**

  * CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 allows unauthenticated remote attackers to craft requests to the `/h/rest` endpoint, improperly influence internal dispatching, and include arbitrary files from the WebRoot directory.
  * CVE-2025-31125: Vite, the JavaScript frontend tooling framework, exposes content of non-allowed files via `?inline&import` when its development server is network-exposed, enabling unauthorized attackers to read arbitrary files and potentially leak sensitive information.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                            | Previous Action | New Action | Comments                 |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------ | --------------- | ---------- | ------------------------ |
| Cloudflare Managed Ruleset | ...833761f7 | N/A            | Zimbra - Local File Inclusion - CVE:CVE-2025-68645     | Log             | Block      | This is a new detection. |
| Cloudflare Managed Ruleset | ...950ed8c8 | N/A            | Vite - WASM Import Path Traversal - CVE:CVE-2025-31125 | Log             | Block      | This is a new detection. |

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/15/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/15/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
