---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Feb 06, 2026
1. ### [Visualize data, share links, and create exports with the new Workers Observability dashboard](https://developers.cloudflare.com/changelog/post/2026-02-06-observability-ui-refresh/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
The [Workers Observability dashboard ↗](https://dash.cloudflare.com/?to=/:account/workers-and-pages/observability/) has some major updates to make it easier to debug your application's issues and share findings with your team.  
![Workers Observability dashboard showing events view with event details and share options](https://developers.cloudflare.com/_astro/2026-01-22-events_share_obs_wobs.BvzY4TNV_eC7Hu.webp)  
You can now:

  * **Create visualizations** — Build charts from your Worker data directly in a Worker's Observability tab
  * **Export data as JSON or CSV** — Download logs and traces for offline analysis or to share with teammates
  * **Share events and traces** — Generate direct URLs to specific events, invocations, and traces that open standalone pages with full context
  * **Customize table columns** — Improved field picker to add, remove, and reorder columns in the events table
  * **Expandable event details** — Expand events inline to view full details without leaving the table
  * **Keyboard shortcuts** — Navigate the dashboard with hotkey support  
![Workers Observability dashboard showing a P99 CPU time visualization grouped by outcome](https://developers.cloudflare.com/_astro/2026-01-22-vis_qb_wobs.Bb5eVQNT_at6AT.webp)  
These updates are now live in the Cloudflare dashboard, both in a Worker's Observability tab and in the account-level Observability dashboard for a unified experience. To get started, go to **Workers & Pages** \> select your Worker > **Observability**.

Feb 04, 2026
1. ### [New reference documentation](https://developers.cloudflare.com/changelog/post/2026-02-09-reference-documentation/)  
[ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/)  
New reference documentation is now available for AI Crawl Control:

  * **[GraphQL API reference](https://developers.cloudflare.com/ai-crawl-control/reference/graphql-api/)** — Query examples for crawler requests, top paths, referral traffic, and data transfer. Includes key filters for detection IDs, user agents, and referrer domains.
  * **[Bot reference](https://developers.cloudflare.com/ai-crawl-control/reference/bots/)** — Detection IDs and user agents for major AI crawlers from OpenAI, Anthropic, Google, Meta, and others.
  * **[Worker templates](https://developers.cloudflare.com/ai-crawl-control/reference/worker-templates/)** — Deploy the x402 Payment-Gated Proxy to monetize crawler access or charge bots while letting humans through free.

Feb 04, 2026
1. ### [Cloudflare Queues now available on Workers Free plan](https://developers.cloudflare.com/changelog/post/2026-02-04-queues-free-plan/)  
[ Queues ](https://developers.cloudflare.com/queues/)  
[Cloudflare Queues](https://developers.cloudflare.com/queues) is now part of the Workers free plan, offering guaranteed message delivery across up to **10,000 queues** to either [Cloudflare Workers](https://developers.cloudflare.com/workers) or [HTTP pull consumers](https://developers.cloudflare.com/queues/configuration/pull-consumers). Every Cloudflare account now includes **10,000 operations per day** across reads, writes, and deletes. For more details on how each operation is defined, refer to [Queues pricing ↗](https://developers.cloudflare.com/workers/platform/pricing/#queues).  
All features of the existing Queues functionality are available on the free plan, including unlimited [event subscriptions](https://developers.cloudflare.com/queues/event-subscriptions/). Note that the maximum retention period on the free tier, however, is 24 hours rather than 14 days.  
If you are new to Cloudflare Queues, follow [this guide ↗](https://developers.cloudflare.com/queues/get-started/) or try one of our [tutorials](https://developers.cloudflare.com/queues/tutorials/) to get started.

Feb 04, 2026
1. ### [Visualize your Workflows in the Cloudflare dashboard](https://developers.cloudflare.com/changelog/post/2026-02-03-workflows-visualizer/)  
[ Workflows ](https://developers.cloudflare.com/workflows/)[ Workers ](https://developers.cloudflare.com/workers/)  
Cloudflare Workflows now automatically generates visual diagrams from your code  
Your Workflow is parsed to provide a visual map of the Workflow structure, allowing you to:

  * Understand how steps connect and execute
  * Visualize loops and nested logic
  * Follow branching paths for conditional logic  
![Example diagram](https://developers.cloudflare.com/_astro/2026-02-03-workflows-diagram.BfQAnWL3_Z203oFd.webp)  
You can collapse loops and nested logic to see the high-level flow, or expand them to see every step.  
Workflow diagrams are available in beta for all JavaScript and TypeScript Workflows. Find your Workflows in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/workers/workflows) to see their diagrams.

Feb 03, 2026
1. ### [Agents SDK v0.3.7: Workflows integration, synchronous state, and scheduleEvery()](https://developers.cloudflare.com/changelog/post/2026-02-03-agents-workflows-integration/)  
[ Agents ](https://developers.cloudflare.com/agents/)[ Workflows ](https://developers.cloudflare.com/workflows/)  
The latest release of the [Agents SDK ↗](https://github.com/cloudflare/agents) brings first-class support for [Cloudflare Workflows](https://developers.cloudflare.com/workflows/), synchronous state management, and new scheduling capabilities.  
#### Cloudflare Workflows integration  
Agents excel at real-time communication and state management. Workflows excel at durable execution. Together, they enable powerful patterns where Agents handle WebSocket connections while Workflows handle long-running tasks, retries, and human-in-the-loop flows.  
Use the new `AgentWorkflow` class to define workflows with typed access to your Agent:

  * [  JavaScript ](#tab-panel-4865)
  * [  TypeScript ](#tab-panel-4866)

**JavaScript**  
```js  
import { AgentWorkflow } from "agents/workflows";  
export class ProcessingWorkflow extends AgentWorkflow {  
  async run(event, step) {  
    // Call Agent methods via RPC  
    await this.agent.updateStatus(event.payload.taskId, "processing");  
    // Non-durable: progress reporting to clients  
    await this.reportProgress({ step: "process", percent: 0.5 });  
    this.broadcastToClients({ type: "update", taskId: event.payload.taskId });  
    // Durable via step: idempotent, won't repeat on retry  
    await step.mergeAgentState({ taskProgress: 0.5 });  
    const result = await step.do("process", async () => {  
      return processData(event.payload.data);  
    });  
    await step.reportComplete(result);  
    return result;  
  }  
}  
```

**TypeScript**  
```ts  
import { AgentWorkflow } from "agents/workflows";  
import type { AgentWorkflowEvent, AgentWorkflowStep } from "agents/workflows";  
export class ProcessingWorkflow extends AgentWorkflow<MyAgent, TaskParams> {  
  async run(event: AgentWorkflowEvent<TaskParams>, step: AgentWorkflowStep) {  
    // Call Agent methods via RPC  
    await this.agent.updateStatus(event.payload.taskId, "processing");  
    // Non-durable: progress reporting to clients  
    await this.reportProgress({ step: "process", percent: 0.5 });  
    this.broadcastToClients({ type: "update", taskId: event.payload.taskId });  
    // Durable via step: idempotent, won't repeat on retry  
    await step.mergeAgentState({ taskProgress: 0.5 });  
    const result = await step.do("process", async () => {  
      return processData(event.payload.data);  
    });  
    await step.reportComplete(result);  
    return result;  
  }  
}  
```  
Start workflows from your Agent with `runWorkflow()` and handle lifecycle events:

  * [  JavaScript ](#tab-panel-4867)
  * [  TypeScript ](#tab-panel-4868)

**JavaScript**  
```js  
export class MyAgent extends Agent {  
  async startTask(taskId, data) {  
    const instanceId = await this.runWorkflow("PROCESSING_WORKFLOW", {  
      taskId,  
      data,  
    });  
    return { instanceId };  
  }  
  async onWorkflowProgress(workflowName, instanceId, progress) {  
    this.broadcast(JSON.stringify({ type: "progress", progress }));  
  }  
  async onWorkflowComplete(workflowName, instanceId, result) {  
    console.log(`Workflow ${instanceId} completed`);  
  }  
  async onWorkflowError(workflowName, instanceId, error) {  
    console.error(`Workflow ${instanceId} failed:`, error);  
  }  
}  
```

**TypeScript**  
```ts  
export class MyAgent extends Agent {  
  async startTask(taskId: string, data: string) {  
    const instanceId = await this.runWorkflow("PROCESSING_WORKFLOW", {  
      taskId,  
      data,  
    });  
    return { instanceId };  
  }  
  async onWorkflowProgress(  
    workflowName: string,  
    instanceId: string,  
    progress: unknown,  
  ) {  
    this.broadcast(JSON.stringify({ type: "progress", progress }));  
  }  
  async onWorkflowComplete(  
    workflowName: string,  
    instanceId: string,  
    result?: unknown,  
  ) {  
    console.log(`Workflow ${instanceId} completed`);  
  }  
  async onWorkflowError(  
    workflowName: string,  
    instanceId: string,  
    error: unknown,  
  ) {  
    console.error(`Workflow ${instanceId} failed:`, error);  
  }  
}  
```  
Key workflow methods on your Agent:

  * `runWorkflow(workflowName, params, options?)` — Start a workflow with optional metadata
  * `getWorkflow(workflowId)` / `getWorkflows(criteria?)` — Query workflows with cursor-based pagination
  * `approveWorkflow(workflowId)` / `rejectWorkflow(workflowId)` — Human-in-the-loop approval flows
  * `pauseWorkflow()`, `resumeWorkflow()`, `terminateWorkflow()` — Workflow control  
#### Synchronous setState()  
State updates are now synchronous with a new `validateStateChange()` validation hook:

  * [  JavaScript ](#tab-panel-4859)
  * [  TypeScript ](#tab-panel-4860)

**JavaScript**  
```js  
export class MyAgent extends Agent {  
  validateStateChange(oldState, newState) {  
    // Return false to reject the change  
    if (newState.count < 0) return false;  
    // Return modified state to transform  
    return { ...newState, lastUpdated: Date.now() };  
  }  
}  
```

**TypeScript**  
```ts  
export class MyAgent extends Agent<Env, State> {  
  validateStateChange(oldState: State, newState: State): State | false {  
    // Return false to reject the change  
    if (newState.count < 0) return false;  
    // Return modified state to transform  
    return { ...newState, lastUpdated: Date.now() };  
  }  
}  
```  
#### scheduleEvery() for recurring tasks  
The new `scheduleEvery()` method enables fixed-interval recurring tasks with built-in overlap prevention:

  * [  JavaScript ](#tab-panel-4857)
  * [  TypeScript ](#tab-panel-4858)

**JavaScript**  
```js  
// Run every 5 minutes  
await this.scheduleEvery("syncData", 5 * 60 * 1000, { source: "api" });  
```

**TypeScript**  
```ts  
// Run every 5 minutes  
await this.scheduleEvery("syncData", 5 * 60 * 1000, { source: "api" });  
```  
#### Callable system improvements

  * **Client-side RPC timeout** — Set timeouts on callable method invocations
  * **`StreamingResponse.error(message)`** — Graceful stream error signaling
  * **`getCallableMethods()`** — Introspection API for discovering callable methods
  * **Connection close handling** — Pending calls are automatically rejected on disconnect

  * [  JavaScript ](#tab-panel-4861)
  * [  TypeScript ](#tab-panel-4862)

**JavaScript**  
```js  
await agent.call("method", [args], {  
  timeout: 5000,  
  stream: { onChunk, onDone, onError },  
});  
```

**TypeScript**  
```ts  
await agent.call("method", [args], {  
  timeout: 5000,  
  stream: { onChunk, onDone, onError },  
});  
```  
#### Email and routing enhancements

**Secure email reply routing** — Email replies are now secured with HMAC-SHA256 signed headers, preventing unauthorized routing of emails to agent instances.

**Routing improvements:**

  * `basePath` option to bypass default URL construction for custom routing
  * Server-sent identity — Agents send `name` and `agent` type on connect
  * New `onIdentity` and `onIdentityChange` callbacks on the client

  * [  JavaScript ](#tab-panel-4863)
  * [  TypeScript ](#tab-panel-4864)

**JavaScript**  
```js  
const agent = useAgent({  
  basePath: "user",  
  onIdentity: (name, agentType) => console.log(`Connected to ${name}`),  
});  
```

**TypeScript**  
```ts  
const agent = useAgent({  
  basePath: "user",  
  onIdentity: (name, agentType) => console.log(`Connected to ${name}`),  
});  
```  
#### Upgrade  
To update to the latest version:  
```sh  
npm i agents@latest  
```  
For the complete Workflows API reference and patterns, see [Run Workflows](https://developers.cloudflare.com/agents/runtime/execution/run-workflows/).

Feb 03, 2026
1. ### [Improve Global Upload Performance with R2 Local Uploads - Now in Open Beta](https://developers.cloudflare.com/changelog/post/2026-02-03-r2-local-uploads/)  
[ R2 ](https://developers.cloudflare.com/r2/)  
[Local Uploads](https://developers.cloudflare.com/r2/buckets/local-uploads/) is now available in open beta. Enable it on your [R2](https://developers.cloudflare.com/r2/) bucket to improve upload performance when clients upload data from a different region than your bucket. With Local Uploads enabled, object data is written to storage infrastructure near the client, then asynchronously replicated to your bucket. The object is immediately accessible and remains strongly consistent throughout. Refer to [How R2 works](https://developers.cloudflare.com/r2/how-r2-works/) for details on how data is written to your bucket.  
In our tests, we observed **up to 75% reduction in Time to Last Byte (TTLB)** for upload requests when Local Uploads is enabled.  
![Local Uploads latency comparison showing p50 TTLB dropping from around 2 seconds to 500ms after enabling Local Uploads](https://developers.cloudflare.com/_astro/local-uploads-latency.R4pUgVuI_2cwpHU.webp)  
This feature is ideal when:

  * Your users are globally distributed
  * Upload performance and reliability is critical to your application
  * You want to optimize write performance without changing your bucket's primary location  
To enable Local Uploads on your bucket, find **Local Uploads** in your bucket settings in the [Cloudflare Dashboard ↗](https://dash.cloudflare.com/?to=/:account/r2/overview), or run:  
```sh  
npx wrangler r2 bucket local-uploads enable <BUCKET_NAME>  
```  
Enabling Local Uploads on a bucket is seamless: existing uploads will complete as expected and there’s no interruption to traffic. There is no additional cost to enable Local Uploads. Upload requests incur the standard [Class A operation costs](https://developers.cloudflare.com/r2/pricing/) same as upload requests made without Local Uploads.  
For more information, refer to [Local Uploads](https://developers.cloudflare.com/r2/buckets/local-uploads/).

Feb 03, 2026
1. ### [Threat actor identification with "also known as" aliases](https://developers.cloudflare.com/changelog/post/2026-02-03-threat-actor-name-mapping/)  
[ Security Center ](https://developers.cloudflare.com/security-center/)  
Identifying threat actors can be challenging, because naming conventions often vary across the security industry. To simplify your research, **Cloudflare Threat Events** now include an **Also known as** field, providing a list of common aliases and industry-standard names for the groups we track.  
This new field is available in both the Cloudflare dashboard and via the API. In the dashboard, you can view these aliases by expanding the event details side panel (under the **Attacker** field) or by adding it as a column in your configurable table view.  
#### Key benefits

  * Easily map Cloudflare-tracked actors to the naming conventions used by other vendors without manual cross-referencing.
  * Quickly identify if a detected threat actor matches a group your team is already monitoring via other intelligence feeds.  
For more information on how to access this data, refer to the [Threat Events API documentation ↗](https://developers.cloudflare.com/api/resources/cloudforce%5Fone/subresources/threat%5Fevents/).

Feb 02, 2026
1. ### [Improved Accessibility and Search for Monitoring](https://developers.cloudflare.com/changelog/post/2026-02-02-improved-accessibility-search-for-monitoring/)  
[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)  
We have updated the Monitoring page to provide a more streamlined and insightful experience for administrators, improving both data visualization and dashboard accessibility.

  * **Enhanced Visual Layout**: Optimized contrast and the introduction of stacked bar charts for clearer data visualization and trend analysis. ![visual-example](https://developers.cloudflare.com/_astro/monitoring-bar-charts.Bi-4BuXC_xiAlF.webp)
  * **Improved Accessibility & Usability**:  
    * **Widget Search**: Added search functionality to multiple widgets, including Policies, Submitters, and Impersonation.
    * **Actionable UI**: All available actions are now accessible via dedicated buttons.
    * **State Indicators**: Improved UI states to clearly communicate loading, empty datasets, and error conditions. ![buttons-example](https://developers.cloudflare.com/_astro/monitoring-buttons.DORPJvP__1JBNhu.webp)
  * **Granular Data Breakdowns**: New views for dispositions by month, malicious email details, link actions, and impersonations. ![monthly-example](https://developers.cloudflare.com/_astro/monitoring-monthly-dispositions.CYuI5d9y_ZSVir3.webp)  
This applies to all Email Security packages:

  * **Advantage**
  * **Enterprise**
  * **Enterprise + PhishGuard**

Feb 02, 2026
1. ### [WAF Release - 2026-02-02](https://developers.cloudflare.com/changelog/post/2026-02-02-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s release introduces new detections for CVE-2025-64459 and CVE-2025-24893.

**Key Findings**

  * CVE-2025-64459: Django versions prior to 5.1.14, 5.2.8, and 4.2.26 are vulnerable to SQL injection via crafted dictionaries passed to QuerySet methods and the `Q()` class.
  * CVE-2025-24893: XWiki allows unauthenticated remote code execution through crafted requests to the SolrSearch endpoint, affecting the entire installation.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                          | Previous Action | New Action | Comments                                                |
| -------------------------- | ----------- | -------------- | ---------------------------------------------------- | --------------- | ---------- | ------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...30698ff3 | N/A            | XWiki - Remote Code Execution - CVE:CVE-2025-24893 2 | Log             | Block      | This is a new detection.                                |
| Cloudflare Managed Ruleset | ...da8ba7e6 | N/A            | Django SQLI - CVE:CVE-2025-64459                     | Log             | Block      | This is a new detection.                                |
| Cloudflare Managed Ruleset | ...8d667511 | N/A            | NoSQL, MongoDB - SQLi - Comparison - 2               | Block           | Block      | Rule metadata description refined. Detection unchanged. |

Jan 30, 2026
1. ### [Reduced minimum cache TTL for Workers KV to 30 seconds](https://developers.cloudflare.com/changelog/post/2026-01-30-kv-reduced-minimum-cachettl/)  
[ KV ](https://developers.cloudflare.com/kv/)  
The minimum `cacheTtl` parameter for Workers KV has been reduced from 60 seconds to 30 seconds. This change applies to both `get()` and `getWithMetadata()` methods.  
This reduction allows you to maintain more up-to-date cached data and have finer-grained control over cache behavior. Applications requiring faster data refresh rates can now configure cache durations as low as 30 seconds instead of the previous 60-second minimum.  
The `cacheTtl` parameter defines how long a KV result is cached at the global network location it is accessed from:

**JavaScript**  
```js  
// Read with custom cache TTL  
const value = await env.NAMESPACE.get("my-key", {  
  cacheTtl: 30, // Cache for minimum 30 seconds (previously 60)  
});  
// getWithMetadata also supports the reduced cache TTL  
const valueWithMetadata = await env.NAMESPACE.getWithMetadata("my-key", {  
  cacheTtl: 30, // Cache for minimum 30 seconds  
});  
```  
The default cache TTL remains unchanged at 60 seconds. Upgrade to the latest version of Wrangler to be able to use 30 seconds `cacheTtl`.  
This change affects all KV read operations using the binding API. For more information, consult the [Workers KV cache TTL documentation](https://developers.cloudflare.com/kv/api/read-key-value-pairs/#cachettl-parameter).

Jan 30, 2026
1. ### [BGP over GRE and IPsec tunnels](https://developers.cloudflare.com/changelog/post/2026-01-30-bgp-over-tunnels/)  
[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Magic Transit ](https://developers.cloudflare.com/magic-transit/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using IPsec and GRE tunnel on-ramps (beta).  
Using BGP peering allows customers to:

  * Automate the process of adding or removing networks and subnets.
  * Take advantage of failure detection and session recovery features.  
With this functionality, customers can:

  * Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via IPsec and GRE tunnel on-ramps.
  * Secure the session by MD5 authentication to prevent misconfigurations.
  * Exchange routes dynamically between their devices and their Magic routing table.  
For configuration details, refer to:

  * [Configure BGP routes for Magic WAN](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-routes/#configure-bgp-routes)
  * [Configure BGP routes for Magic Transit](https://developers.cloudflare.com/magic-transit/how-to/configure-routes/#configure-bgp-routes)

Jan 28, 2026
1. ### [Launching FLUX.2 \[klein\] 9B on Workers AI](https://developers.cloudflare.com/changelog/post/2026-01-28-flux-2-klein-9b-workers-ai/)  
[ Workers AI ](https://developers.cloudflare.com/workers-ai/)  
We have partnered with Black Forest Labs (BFL) again to bring their optimized FLUX.2 \[klein\] 9B model to Workers AI. This distilled model offers enhanced quality compared to the 4B variant, while maintaining cost-effective pricing. With a fixed 4-step inference process, Klein 9B is ideal for rapid prototyping and real-time applications where both speed and quality matter.  
Read the [BFL blog ↗](https://bfl.ai/blog) to learn more about the model itself, or try it out yourself on our [multi modal playground ↗](https://multi-modal.ai.cloudflare.com/).  
Pricing documentation is available on the [model page](https://developers.cloudflare.com/workers-ai/models/flux-2-klein-9b/) or [pricing page](https://developers.cloudflare.com/workers-ai/platform/pricing/).  
#### Workers AI platform specifics  
The model hosted on Workers AI is optimized for speed with a **fixed 4-step inference process** and supports up to 4 image inputs. Since this is a distilled model, the `steps` parameter is fixed at 4 and cannot be adjusted. Like FLUX.2 \[dev\] and FLUX.2 \[klein\] 4B, this image model uses multipart form data inputs, even if you just have a prompt.  
With the REST API, the multipart form data input looks like this:  
```bash  
curl --request POST \
  --url 'https://api.cloudflare.com/client/v4/accounts/{ACCOUNT}/ai/run/@cf/black-forest-labs/flux-2-klein-9b' \
  --header 'Authorization: Bearer {TOKEN}' \
  --header 'Content-Type: multipart/form-data' \
  --form 'prompt=a sunset at the alps' \
  --form width=1024 \
  --form height=1024  
```  
With the Workers AI binding, you can use it as such:

**JavaScript**  
```javascript  
const form = new FormData();  
form.append("prompt", "a sunset with a dog");  
form.append("width", "1024");  
form.append("height", "1024");  
// FormData doesn't expose its serialized body or boundary. Passing it to a  
// Request (or Response) constructor serializes it and generates the Content-Type  
// header with the boundary, which is required for the server to parse the multipart fields.  
const formResponse = new Response(form);  
const formStream = formResponse.body;  
const formContentType = formResponse.headers.get('content-type');  
const resp = await env.AI.run("@cf/black-forest-labs/flux-2-klein-9b", {  
  multipart: {  
    body: formStream,  
    contentType: formContentType,  
  },  
});  
```  
The parameters you can send to the model are detailed here:  
JSON Schema for Model **Required Parameters**
  * `prompt` (string) - Text description of the image to generate

**Optional Parameters**

  * `input_image_0` (string) - Binary image
  * `input_image_1` (string) - Binary image
  * `input_image_2` (string) - Binary image
  * `input_image_3` (string) - Binary image
  * `guidance` (float) - Guidance scale for generation. Higher values follow the prompt more closely
  * `width` (integer) - Width of the image, default `1024` Range: 256-1920
  * `height` (integer) - Height of the image, default `768` Range: 256-1920
  * `seed` (integer) - Seed for reproducibility

**Note:** Since this is a distilled model, the `steps` parameter is fixed at 4 and cannot be adjusted.  
#### Multi-reference images  
The FLUX.2 klein-9b model supports generating images based on reference images, just like FLUX.2 \[dev\] and FLUX.2 \[klein\] 4B. You can use this feature to apply the style of one image to another, add a new character to an image, or iterate on past generated images. You would use it with the same multipart form data structure, with the input images in binary. The model supports up to 4 input images.  
For the prompt, you can reference the images based on the index, like `take the subject of image 1 and style it like image 0` or even use natural language like `place the dog beside the woman`.  
You must name the input parameter as `input_image_0`, `input_image_1`, `input_image_2`, `input_image_3` for it to work correctly. All input images must be smaller than 512x512.  
```bash  
curl --request POST \
  --url 'https://api.cloudflare.com/client/v4/accounts/{ACCOUNT}/ai/run/@cf/black-forest-labs/flux-2-klein-9b' \
  --header 'Authorization: Bearer {TOKEN}' \
  --header 'Content-Type: multipart/form-data' \
  --form 'prompt=take the subject of image 1 and style it like image 0' \
  --form input_image_0=@/Users/johndoe/Desktop/icedoutkeanu.png \
  --form input_image_1=@/Users/johndoe/Desktop/me.png \
  --form width=1024 \
  --form height=1024  
```  
Through Workers AI Binding:

**JavaScript**  
```javascript  
//helper function to convert ReadableStream to Blob  
async function streamToBlob(stream: ReadableStream, contentType: string): Promise<Blob> {  
  const reader = stream.getReader();  
  const chunks = [];  
  while (true) {  
    const { done, value } = await reader.read();  
    if (done) break;  
    chunks.push(value);  
  }  
  return new Blob(chunks, { type: contentType });  
}  
const image0 = await fetch("http://image-url");  
const image1 = await fetch("http://image-url");  
const form = new FormData();  
const image_blob0 = await streamToBlob(image0.body, "image/png");  
const image_blob1 = await streamToBlob(image1.body, "image/png");  
form.append('input_image_0', image_blob0)  
form.append('input_image_1', image_blob1)  
form.append('prompt', 'take the subject of image 1 and style it like image 0')  
// FormData doesn't expose its serialized body or boundary. Passing it to a  
// Request (or Response) constructor serializes it and generates the Content-Type  
// header with the boundary, which is required for the server to parse the multipart fields.  
const formResponse = new Response(form);  
const formStream = formResponse.body;  
const formContentType = formResponse.headers.get('content-type');  
const resp = await env.AI.run("@cf/black-forest-labs/flux-2-klein-9b", {  
    multipart: {  
        body: formStream,  
        contentType: formContentType  
    }  
})  
```

Jan 27, 2026
1. ### [WARP client for Windows (version 2026.1.89.1)](https://developers.cloudflare.com/changelog/post/2026-01-27-warp-windows-beta/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).  
This release contains minor fixes, improvements, and new features.

**Changes and improvements**

  * Improvements to [multi-user mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/). Fixed an issue where when switching from a pre-login registration to a user registration, Mobile Device Management (MDM) configuration association could be lost.
  * Added a new feature to [manage NetBIOS over TCP/IP](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#netbios-over-tcpip) functionality on the Windows client. NetBIOS over TCP/IP on the Windows client is now disabled by default and can be enabled in [device profile settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/).
  * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`.
  * Improvement for the Windows [client certificate posture check](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/warp-client-checks/client-certificate/) to ensure logged results are from checks that run once users log in.
  * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.

**Known issues**

  * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution.
  * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later.
  * DNS resolution may be broken when the following conditions are all true:

    * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    * A custom DNS server address is configured on the primary network adapter.
    * The custom DNS server address on the primary network adapter is changed while WARP is connected.  
  To work around this issue, reconnect the WARP client by toggling off and back on.

Jan 27, 2026
1. ### [WARP client for macOS (version 2026.1.89.1)](https://developers.cloudflare.com/changelog/post/2026-01-27-warp-macos-beta/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).  
This release contains minor fixes and improvements.

**Changes and improvements**

  * Fixed an issue causing failure of the [local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) feature when configured with a timeout of `0`.
  * Improvement for more accurate reporting of device colocation information in the Cloudflare One dashboard.

Jan 27, 2026
1. ### [Configure Cloudflare source IPs (beta)](https://developers.cloudflare.com/changelog/post/2026-01-27-configure-cloudflare-source-ips/)  
[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)  
Cloudflare source IPs are the IP addresses used by Cloudflare services (such as Load Balancing, Gateway, and Browser Isolation) when sending traffic to your private networks.  
For customers using legacy mode routing, traffic to private networks is sourced from public Cloudflare IPs, which may cause IP conflicts. For customers using Unified Routing mode (beta), traffic to private networks is sourced from dedicated, non-Internet-routable private IPv4 range to ensure:

  * Symmetric routing over private network connections
  * Proper firewall state preservation
  * Private traffic stays on secure paths  
Key details:

  * **IPv4**: Sourced from `100.64.0.0/12` by default, configurable to any `/12` CIDR
  * **IPv6**: Sourced from `2606:4700:cf1:5000::/64` (not configurable)
  * **Affected connectors**: GRE, IPsec, CNI, WARP Connector, and WARP Client (Cloudflare Tunnel is not affected)  
Configuring Cloudflare source IPs requires Unified Routing (beta) and the `Cloudflare One Networks Write` permission.  
For configuration details, refer to [Configure Cloudflare source IPs](https://developers.cloudflare.com/cloudflare-wan/configuration/how-to/configure-cloudflare-source-ips/).

Jan 27, 2026
1. ### [Added Timezone preferences settings](https://developers.cloudflare.com/changelog/post/2026-01-27-timezone-preferences/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
You can now set the timezone in the Cloudflare dashboard as Coordinated Universal Time (UTC) or your browser or system's timezone.  
#### What's New  
Unless otherwise specified in the user interface, all dates and times in the Cloudflare dashboard are now displayed in the selected timezone.  
You can change the timezone setting from the user profile dropdown.  
![Timezone preference dropdown](https://developers.cloudflare.com/_astro/2026-01-27-set-timezone.CUmMl54E_2ucVUh.webp)  
The page will reload to apply the new timezone setting.

Jan 27, 2026
1. ### [Control request and response body buffering in Configuration Rules](https://developers.cloudflare.com/changelog/post/2026-01-27-body-buffering-settings/)  
[ Rules ](https://developers.cloudflare.com/rules/)  
You can now control how Cloudflare buffers HTTP request and response bodies using two new settings in [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/).  
#### Request body buffering  
Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server:

| Mode                   | Behavior                                                                                                      |
| ---------------------- | ------------------------------------------------------------------------------------------------------------- |
| **Standard** (default) | Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management. |
| **Full**               | Buffers the entire request body before sending to origin.                                                     |
| **None**               | No buffering — the request body streams directly to origin without inspection.                                |  
#### Response body buffering  
Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client:

| Mode                   | Behavior                                                                            |
| ---------------------- | ----------------------------------------------------------------------------------- |
| **Standard** (default) | Cloudflare can inspect a prefix of the response body for enabled functionality.     |
| **None**               | No buffering — the response body streams directly to the client without inspection. |  
Warning  
Setting body buffering to **None** may break security functionality that requires body inspection, including the Web Application Firewall (WAF) and Bot Management. Ensure that any paths where you disable buffering do not require security inspection.  
#### API example  
```json  
{  
  "action": "set_config",  
  "action_parameters": {  
    "request_body_buffering": "standard",  
    "response_body_buffering": "none"  
  }  
}  
```  
For more information, refer to [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/).

Jan 26, 2026
1. ### [WAF Release - 2026-01-26](https://developers.cloudflare.com/changelog/post/2026-01-26-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 ([https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗](https://www.cve.org/CVERecord?id=CVE-2026-23864)).

**Key Findings**

  * CVE-2026-23864 ([https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗](https://www.cve.org/CVERecord?id=CVE-2026-23864)) affects `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack` packages.
  * Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                 | Previous Action | New Action | Comments                 |
| -------------------------- | ----------- | -------------- | ------------------------------------------- | --------------- | ---------- | ------------------------ |
| Cloudflare Managed Ruleset | ...61680354 | N/A            | React Server - DOS - CVE:CVE-2026-23864 - 1 | N/A             | Block      | This is a new detection. |
| Cloudflare Managed Ruleset | ...dcdffcf8 | N/A            | React Server - DOS - CVE:CVE-2026-23864 - 2 | N/A             | Block      | This is a new detection. |
| Cloudflare Managed Ruleset | ...349edbc6 | N/A            | React Server - DOS - CVE:CVE-2026-23864 - 3 | N/A             | Block      | This is a new detection. |

Jan 23, 2026
1. ### [New 2FA Experience for Login](https://developers.cloudflare.com/changelog/post/2026-01-23-new-2fa-experience/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
![Screenshot of new 2FA enrollment experience](https://developers.cloudflare.com/_astro/2026-01-23-2fa-interstitial.TXFGNSth_ZOKoRB.webp)  
In an effort to improve overall user security, users without 2FA will be prompted upon login to enroll in email 2FA. This will improve user security posture while minimizing friction. Users without email 2FA enabled will see a prompt to secure their account with additional factors upon logging in. Enrolling in 2FA remains optional, but strongly encouraged as it is the best way to prevent account takeovers.  
We also made changes to existing 2FA screens to improve the user experience. Now we have distinct experiences for each 2FA factor type, reflective of the way that factor works.  
#### For more information

  * [Configure Email Two Factor Authentication](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-email-two-factor-authentication)

Jan 23, 2026
1. ### [Increased Pages file limit to 100,000 for paid plans](https://developers.cloudflare.com/changelog/post/2026-01-23-pages-file-limit-increase/)  
[ Pages ](https://developers.cloudflare.com/pages/)  
Paid plans can now have up to 100,000 files per Pages site, increased from the previous limit of 20,000 files.  
To enable this increased limit, set the environment variable `PAGES_WRANGLER_MAJOR_VERSION=4` in your Pages project settings.  
The Free plan remains at 20,000 files per site.  
For more details, refer to the [Pages limits documentation](https://developers.cloudflare.com/pages/platform/limits/#files).

Jan 23, 2026
1. ### [Vectorize indexes now support up to 10 million vectors](https://developers.cloudflare.com/changelog/post/2026-01-23-increased-index-capacity/)  
[ Vectorize ](https://developers.cloudflare.com/vectorize/)  
You can now store up to 10 million vectors in a single Vectorize index, doubling the previous limit of 5 million vectors. This enables larger-scale semantic search, recommendation systems, and retrieval-augmented generation (RAG) applications without splitting data across multiple indexes.  
Vectorize continues to support indexes with up to 1,536 dimensions per vector at 32-bit precision. Refer to the [Vectorize limits documentation](https://developers.cloudflare.com/vectorize/platform/limits/) for complete details.

Jan 22, 2026
1. ### [Require Access protection for zones](https://developers.cloudflare.com/changelog/post/2026-01-22-deny-by-default-for-zones/)  
[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
You can now require Cloudflare Access protection for all hostnames in your account. When enabled, traffic to any hostname that does not have a matching Access application is automatically blocked.  
This deny-by-default approach prevents accidental exposure of internal resources to the public Internet. If a developer deploys a new application or creates a DNS record without configuring an Access application, the traffic is blocked rather than exposed.  
![Require Cloudflare Access protection in the dashboard](https://developers.cloudflare.com/_astro/require-cloudflare-access-protection.BAUmTYOs_ZxNecb.webp)  
#### How it works

  * **Blocked by default**: Traffic to all hostnames in the account is blocked unless an Access application exists for that hostname.
  * **Explicit access required**: To allow traffic, create an Access application with an Allow or Bypass policy.
  * **Hostname exemptions**: You can exempt specific hostnames from this requirement.  
To turn on this feature, refer to [Require Access protection](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/require-access-protection/).

Jan 22, 2026
1. ### [New granular API token permissions for Cloudflare Access](https://developers.cloudflare.com/changelog/post/2026-01-22-granular-api-token-permissions/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
Three new API token permissions are available for Cloudflare Access, giving you finer-grained control when building automations and integrations:

  * **Access: Organizations Revoke** — Grants the ability to [revoke user sessions](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/#revoke-user-sessions) in a Zero Trust organization. Use this permission when you need a token that can terminate active sessions without broader write access to organization settings.
  * **Access: Population Read** — Grants read access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that only need to read synced user and group data.
  * **Access: Population Write** — Grants write access to the [SCIM users and groups](https://developers.cloudflare.com/cloudflare-one/team-and-resources/users/scim/) synced from an identity provider to Cloudflare Access. Use this permission for tokens that need to create or modify synced user and group data.  
These permissions are scoped at the account level and can be combined with existing Access permissions.  
For a full list of available permissions, refer to [API token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/).

Jan 22, 2026
1. ### [New cryptographic functions — encode\_base64() and sha256()](https://developers.cloudflare.com/changelog/post/2026-01-22-sha256-base64-encode-functions/)  
[ Rules ](https://developers.cloudflare.com/rules/)  
Cloudflare Rulesets now includes `encode_base64()` and `sha256()` functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result.

---  
#### New functions

| Function                     | Description                                                                                                                                                                                                                                             | Availability                          |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
| encode\_base64(input, flags) | Encodes a string to Base64 format. Optional flags parameter: u for URL-safe encoding, p for padding (adds \= characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding. | All plans (in header transform rules) |
| sha256(input)                | Computes a SHA256 hash of the input string.                                                                                                                                                                                                             | Requires enablement                   |  
Note  
The `sha256()` function is available as an Enterprise add-on and requires a specific entitlement. Contact your account team to enable it.

---  
#### Examples

**Encode a string to Base64 format:**  
```txt  
encode_base64("hello world")  
```  
Returns: `aGVsbG8gd29ybGQ`

**Encode a string to Base64 format with padding:**  
```txt  
encode_base64("hello world", "p")  
```  
Returns: `aGVsbG8gd29ybGQ=`

**Perform a URL-safe Base64 encoding of a string:**  
```txt  
encode_base64("hello world", "u")  
```  
Returns: `aGVsbG8gd29ybGQ`

**Compute the SHA256 hash of a secret token:**  
```txt  
sha256("my-token")  
```  
Returns a hash that your origin can validate to authenticate requests.

**Compute the SHA256 hash of a string and encode the result to Base64 format:**  
```txt  
encode_base64(sha256("my-token"))  
```  
Combines hashing and encoding for systems that expect Base64-encoded signatures.  
For more information, refer to the [Functions reference](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/).

Jan 22, 2026
1. ### [New Placement Hints for Workers](https://developers.cloudflare.com/changelog/post/2026-01-22-explicit-placement-hints/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now configure Workers to run close to infrastructure in legacy cloud regions to minimize latency to existing services and databases. This is most useful when your Worker makes multiple round trips.  
To [set a placement hint](https://developers.cloudflare.com/workers/configuration/placement/#configure-explicit-placement-hints), set the `placement.region` property in your Wrangler configuration file:

  * [  wrangler.jsonc ](#tab-panel-4849)
  * [  wrangler.toml ](#tab-panel-4850)

**JSONC**  
```jsonc  
{  
  "placement": {  
    "region": "aws:us-east-1",  
  },  
}  
```

**TOML**  
```toml  
[placement]  
region = "aws:us-east-1"  
```  
Placement hints support Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure region identifiers. Workers run in the [Cloudflare data center ↗](https://www.cloudflare.com/network/) with the lowest latency to the specified cloud region.  
If your existing infrastructure is not in these cloud providers, expose it to placement probes with `placement.host` for layer 4 checks or `placement.hostname` for layer 7 checks. These probes are designed to locate single-homed infrastructure and are not suitable for anycasted or multicasted resources.

  * [  wrangler.jsonc ](#tab-panel-4851)
  * [  wrangler.toml ](#tab-panel-4852)

**JSONC**  
```jsonc  
{  
  "placement": {  
    "host": "my_database_host.com:5432",  
  },  
}  
```

**TOML**  
```toml  
[placement]  
host = "my_database_host.com:5432"  
```

  * [  wrangler.jsonc ](#tab-panel-4853)
  * [  wrangler.toml ](#tab-panel-4854)

**JSONC**  
```jsonc  
{  
  "placement": {  
    "hostname": "my_api_server.com",  
  },  
}  
```

**TOML**  
```toml  
[placement]  
hostname = "my_api_server.com"  
```  
This is an extension of [Smart Placement](https://developers.cloudflare.com/workers/configuration/placement/#enable-smart-placement), which automatically places your Workers closer to back-end APIs based on measured latency. When you do not know the location of your back-end APIs or have multiple back-end APIs, set `mode: "smart"`:

  * [  wrangler.jsonc ](#tab-panel-4855)
  * [  wrangler.toml ](#tab-panel-4856)

**JSONC**  
```jsonc  
{  
  "placement": {  
    "mode": "smart",  
  },  
}  
```

**TOML**  
```toml  
[placement]  
mode = "smart"  
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/17/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/17/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
