---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Sep 01, 2025
1. ### [WAF Release - 2025-09-01](https://developers.cloudflare.com/changelog/post/2025-09-01-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  

**This week's update**  
This week, a critical vulnerability was disclosed in Fortinet FortiWeb (versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and versions 7.0.10 and below), linked to improper parameter handling that could allow unauthorized access.

**Key Findings**

  * Fortinet FortiWeb (CVE-2025-52970): A vulnerability may allow an unauthenticated remote attacker with access to non-public information to log in as any existing user on the device via a specially crafted request.

**Impact**  
Exploitation could allow an unauthenticated attacker to impersonate any existing user on the device, potentially enabling them to modify system settings or exfiltrate sensitive information, posing a serious security risk. Upgrading to the latest vendor-released version is strongly recommended.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                          | Previous Action | New Action | Comments                                                |
| -------------------------- | ----------- | -------------- | ---------------------------------------------------- | --------------- | ---------- | ------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...c49b7cf8 | 100586         | Fortinet FortiWeb - Auth Bypass - CVE:CVE-2025-52970 | Log             | Disabled   | This is a New Detection                                 |
| Cloudflare Managed Ruleset | ...790c9dde | 100136C        | XSS - JavaScript - Headers and Body                  | N/A             | N/A        | Rule metadata description refined. Detection unchanged. |

Aug 29, 2025
1. ### [Smart Tiered Cache Fallback to Generic](https://developers.cloudflare.com/changelog/post/2025-08-29-smart-tiered-cache-fallback-to-generic/)  
[ Cache / CDN ](https://developers.cloudflare.com/cache/)  
[Smart Tiered Cache](https://developers.cloudflare.com/cache/how-to/tiered-cache/#smart-tiered-cache) now falls back to [Generic Tiered Cache](https://developers.cloudflare.com/cache/how-to/tiered-cache/#generic-global-tiered-cache) when the origin location cannot be determined, improving cache precision for your content.  
Previously, when Smart Tiered Cache was unable to select the optimal upper tier (such as when origins are masked by Anycast IPs), latency could be negatively impacted. This fallback now uses Generic Tiered Cache instead, providing better performance and cache efficiency.  
#### How it works  
When Smart Tiered Cache falls back to Generic Tiered Cache:

  1. **Multiple upper-tiers**: Uses all of Cloudflare's global data centers as a network of upper-tiers instead of a single optimal location.
  2. **Distributed cache requests**: Lower-tier data centers can query any available upper-tier for cached content.
  3. **Improved global coverage**: Provides better cache hit ratios across geographically distributed visitors.
  4. **Automatic fallback**: Seamlessly transitions when origin location cannot be determined, such as with Anycast-masked origins.  
#### Benefits

  * **Preserves high performance during fallback**: Smart Tiered Cache now maintains strong cache efficiency even when optimal upper tier selection is not possible.
  * **Minimizes latency impact**: Automatically uses Generic Tiered Cache topology to keep performance high when origin location cannot be determined.
  * **Seamless experience**: No configuration changes or intervention required when fallback occurs.
  * **Improved resilience**: Smart Tiered Cache remains effective across diverse origin infrastructure, including Anycast-masked origins.  
#### Get started  
This improvement is automatically applied to all zones using [Smart Tiered Cache](https://developers.cloudflare.com/cache/how-to/tiered-cache/). No action is required on your part.

Aug 29, 2025
1. ### [Cloudflare One WARP Diagnostic AI Analyzer](https://developers.cloudflare.com/changelog/post/2025-08-29-warp-ai-diag-analyzer/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
We're excited to share a new AI feature, the [WARP diagnostic analyzer ↗](https://blog.cloudflare.com/AI-troubleshoot-warp-and-network-connectivity-issues/), to help you troubleshoot and resolve WARP connectivity issues faster. This beta feature is now available in the [Cloudflare One dashboard ↗](https://dash.cloudflare.com/one/) to all users. The AI analyzer makes it easier for you to identify the root cause of client connectivity issues by parsing [remote captures](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#start-a-remote-capture) of [WARP diagnostic logs](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs). The WARP diagnostic analyzer provides a summary of impact that may be experienced on the device, lists notable events that may contribute to performance issues, and recommended troubleshooting steps and articles to help you resolve these issues. Refer to [WARP diagnostics analyzer (beta)](https://developers.cloudflare.com/cloudflare-one/insights/dex/diagnostics/client-packet-capture/#diagnostics-analyzer-beta) to learn more about how to maximize using the WARP diagnostic analyzer to troubleshoot the WARP client.

Aug 29, 2025
1. ### [DEX MCP Server](https://developers.cloudflare.com/changelog/post/2025-08-29-dex-mcp-server/)  
[ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/)  
[Digital Experience Monitoring (DEX)](https://developers.cloudflare.com/cloudflare-one/insights/dex/) provides visibility into device connectivity and performance across your Cloudflare SASE deployment.  
We've released an MCP server [(Model Context Protocol) ↗](https://cloudflare.com/learning/ai/what-is-model-context-protocol-mcp/) for DEX.  
The DEX MCP server is an AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly‌@acme.com", and receive an answer that contains data from the DEX API.  
Any Cloudflare One customer using a Free, Pay-as-you-go, or Enterprise account can access the DEX MCP Server. This feature is available to everyone.  
Customers can test the new DEX MCP server in less than one minute. To learn more, read the [DEX MCP server documentation](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/).

Aug 29, 2025
1. ### [Terraform v5.9 now available](https://developers.cloudflare.com/changelog/post/2025-08-29-terrform-v59-provider/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/)  
Earlier this year, we announced the launch of the new [Terraform v5 Provider](https://developers.cloudflare.com/changelog/2025-02-03-terraform-v5-provider/). We are aware of the high number of [issues ↗](https://github.com/cloudflare/terraform-provider-cloudflare) reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2 week cadence to ensure its stability and reliability, including the v5.9 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources for every release, stabilizing the release, and closing all associated bugs with that resource before moving onto resolving migration issues.  
Thank you for continuing to raise issues. We triage them weekly and they help make our products stronger.  
This release includes a new resource, `cloudflare_snippet`, which replaces `cloudflare_snippets`. `cloudflare_snippet` is now considered deprecated but can still be used. Please utilize `cloudflare_snippet` as soon as possible.  
#### Changes

  * Resources stabilized:  
    * `cloudflare_zone_setting`
    * `cloudflare_worker_script`
    * `cloudflare_worker_route`
    * `tiered_cache`
  * **NEW** resource `cloudflare_snippet` which should be used in place of `cloudflare_snippets`. `cloudflare_snippets` is now deprecated. This enables the management of Cloudflare's snippet functionality through Terraform.
  * DNS Record Improvements: Enhanced handling of DNS record drift detection
  * Load Balancer Fixes: Resolved `created_on` field inconsistencies and improved pool configuration handling
  * Bot Management: Enhanced auto-update model state consistency and fight mode configurations
  * Other bug fixes  
For a more detailed look at all of the changes, refer to the [changelog ↗](https://github.com/cloudflare/terraform-provider-cloudflare/releases/tag/v5.9.0) in GitHub.  
#### Issues Closed

  * [#5921: In cloudflare\_ruleset removing an existing rule causes recreation of later rules ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5921)
  * [#5904: cloudflare\_zero\_trust\_access\_application is not idempotent ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5904)
  * [#5898: (cloudflare\_workers\_script) Durable Object migrations not applied ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5898)
  * [#5892: cloudflare\_workers\_script secret\_text environment variable gets replaced on every deploy ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5892)
  * [#5891: cloudflare\_zone suddenly started showing drift ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5891)
  * [#5882: cloudflare\_zero\_trust\_list always marked for change due to read only attributes ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5882)
  * [#5879: cloudflare\_zero\_trust\_gateway\_certificate unable to manage resource (cant mark as active/inactive) ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5879)
  * [#5858: cloudflare\_dns\_records is always updated in-place ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5858)
  * [#5839: Recurring change on cloudflare\_zero\_trust\_gateway\_policy after upgrade to V5 provider & also setting expiration fails ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5839)
  * [#5811: Reusable policies are imported as inline type for cloudflare\_zero\_trust\_access\_application ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5811)
  * [#5795: cloudflare\_zone\_setting inconsistent value of "editable" upon apply ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5795)
  * [#5789: Pagination issue fetching all policies in "cloudflare\_zero\_trust\_access\_policies" data source ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5789)
  * [#5770: cloudflare\_zero\_trust\_access\_application type warp diff on every apply ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5770)
  * [#5765: V5 / cloudflare\_zone\_dnssec fails with HTTP/400 "Malformed request body" ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5765)
  * [#5755: Unable to manage Cloudflare managed WAF rules via Terraform ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5755)
  * [#5738: v4 to v5 upgrade failing Error: no schema available AND Unable to Read Previously Saved State for UpgradeResourceState ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5738)
  * [#5727: cloudflare\_ruleset http\_request\_cache\_settings bypass mismatch between dashboard and terraform ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5727)
  * [#5700: cloudflare\_account\_member invalid type 'string' for field 'roles' ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5700)  
If you have an unaddressed issue with the provider, we encourage you to check the [open issues ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues) and open a new issue if one does not already exist for what you are experiencing.  
#### Upgrading  
We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized.  
If you'd like more information on migrating from v4 to v5, please make use of the [migration guide ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). We have provided automated migration scripts using Grit which simplify the transition. These do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of `terraform plan` to test your changes before applying, and let us know if you encounter any additional issues by reporting to our [GitHub repository ↗](https://github.com/cloudflare/terraform-provider-cloudflare).  
#### For more info

  * [Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs)
  * [Documentation on using Terraform with Cloudflare](https://developers.cloudflare.com/terraform/)
  * [GitHub Repository ↗](https://github.com/cloudflare/terraform-provider-cloudflare)

Aug 29, 2025
1. ### [WAF Release - 2025-08-29 - Emergency](https://developers.cloudflare.com/changelog/post/2025-08-29-emergency-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  

**This week's update**  
This week, new critical vulnerabilities were disclosed in Next.js’s image optimization functionality, exposing a broad range of production environments to risks of data exposure and cache manipulation.

**Key Findings**

  * CVE-2025-55173: Arbitrary file download from the server via image optimization.
  * CVE-2025-57752: Cache poisoning leading to unauthorized data disclosure.

**Impact**  
Exploitation could expose sensitive files, leak user or backend data, and undermine application trust. Given Next.js’s wide use, immediate patching and cache hardening are strongly advised.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                            | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------ | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...9ff4bfe3 | 100613         | Next.js - Dangerous File Download - CVE:CVE-2025-55173 | N/A             | Block      | This is a new detection |
| Cloudflare Managed Ruleset | ...69b9ea7d | 100616         | Next.js - Information Disclosure - CVE:CVE-2025-57752  | N/A             | Block      | This is a new detection |

Aug 27, 2025
1. ### [Enhanced crawler insights and custom 402 responses](https://developers.cloudflare.com/changelog/post/2025-08-27-ai-crawl-control-launch/)  
[ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/)  
We improved AI crawler management with detailed analytics and introduced custom HTTP 402 responses for blocked crawlers. AI Audit has been renamed to AI Crawl Control and is now generally available.

**Enhanced Crawlers tab:**

  * View total allowed and blocked requests for each AI crawler
  * Trend charts show crawler activity over your selected time range per crawler  
![Updated AI Crawl Control table showing request counts and trend charts](https://developers.cloudflare.com/_astro/ai-crawl-control-table.BDr0Qd-5_ZKex0W.webp)  

**Custom block responses (paid plans):**You can now return HTTP 402 "Payment Required" responses when blocking AI crawlers, enabling direct communication with crawler operators about licensing terms.  
For users on paid plans, when blocking AI crawlers you can configure:

  * **Response code:** Choose between 403 Forbidden or 402 Payment Required
  * **Response body:** Add a custom message with your licensing contact information  
![AI Crawl Control block response configuration interface](https://developers.cloudflare.com/_astro/ai-crawl-control-block-response.L4duQj7-_Z2mHb4X.webp)  
Example 402 response:  
```http  
HTTP 402 Payment Required  
Date: Mon, 24 Aug 2025 12:56:49 GMT  
Content-type: application/json  
Server: cloudflare  
Cf-Ray: 967e8da599d0c3fa-EWR  
Cf-Team: 2902f6db750000c3fa1e2ef400000001  
{  
  "message": "Please contact the site owner for access."  
}  
```

Aug 27, 2025
1. ### [Shadow IT - SaaS analytics dashboard](https://developers.cloudflare.com/changelog/post/2025-08-27-shadow-it-analytics/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)  
Zero Trust has significantly upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application.  
You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including **Unreviewed**, **In Review**, **Approved**, and **Unapproved** designating how they can be used in your organization.  
![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/shadow-it-analytics.BLNnG72w_Z1vDznE.webp)  
These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status.  
Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control.

Aug 27, 2025
1. ### [Deepgram and Leonardo partner models now available on Workers AI](https://developers.cloudflare.com/changelog/post/2025-08-27-partner-models/)  
[ Workers AI ](https://developers.cloudflare.com/workers-ai/)  
New state-of-the-art models have landed on Workers AI! This time, we're introducing new **partner models** trained by our friends at [Deepgram ↗](https://deepgram.com) and [Leonardo ↗](https://leonardo.ai), hosted on Workers AI infrastructure.  
As well, we're introuding a new turn detection model that enables you to detect when someone is done speaking — useful for building voice agents!  
Read the [blog ↗](https://blog.cloudflare.com/workers-ai-partner-models) for more details and check out some of the new models on our platform:

  * [@cf/deepgram/aura-1](https://developers.cloudflare.com/workers-ai/models/aura-1) is a text-to-speech model that allows you to input text and have it come to life in a customizable voice
  * [@cf/deepgram/nova-3](https://developers.cloudflare.com/workers-ai/models/nova-3) is speech-to-text model that transcribes multilingual audio at a blazingly fast speed
  * [@cf/pipecat-ai/smart-turn-v2](https://developers.cloudflare.com/workers-ai/models/smart-turn-v2) helps you detect when someone is done speaking
  * [@cf/leonardo/lucid-origin](https://developers.cloudflare.com/workers-ai/models/lucid-origin) is a text-to-image model that generates images with sharp graphic design, stunning full-HD renders, or highly specific creative direction
  * [@cf/leonardo/phoenix-1.0](https://developers.cloudflare.com/workers-ai/models/phoenix-1.0) is a text-to-image model with exceptional prompt adherence and coherent text  
You can filter out new partner models with the `Partner` capability on our [Models](https://developers.cloudflare.com/workers-ai/models) page.  
As well, we're introducing WebSocket support for some of our audio models, which you can filter though the `Realtime` capability on our [Models](https://developers.cloudflare.com/workers-ai/models) page. WebSockets allows you to create a bi-directional connection to our inference server with low latency — perfect for those that are building voice agents.  
An example python snippet on how to use WebSockets with our new Aura model:  
```plaintext  
import json  
import os  
import asyncio  
import websockets  
uri = f"wss://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai/run/@cf/deepgram/aura-1"  
input = [  
    "Line one, out of three lines that will be provided to the aura model.",  
    "Line two, out of three lines that will be provided to the aura model.",  
    "Line three, out of three lines that will be provided to the aura model. This is a last line.",  
]  
async def text_to_speech():  
    async with websockets.connect(uri, additional_headers={"Authorization": os.getenv("CF_TOKEN")}) as websocket:  
        print("connection established")  
        for line in input:  
            print(f"sending `{line}`")  
            await websocket.send(json.dumps({"type": "Speak", "text": line}))  
            print("line was sent, flushing")  
            await websocket.send(json.dumps({"type": "Flush"}))  
            print("flushed, recving")  
            resp = await websocket.recv()  
            print(f"response received {resp}")  
if __name__ == "__main__":  
    asyncio.run(text_to_speech())  
```

Aug 26, 2025
1. ### [New CASB integrations for ChatGPT, Claude, and Gemini](https://developers.cloudflare.com/changelog/post/2025-08-26-casb-ai-integrations/)  
[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)  
[Cloudflare CASB ↗](https://www.cloudflare.com/zero-trust/products/casb/) now supports three of the most widely used GenAI platforms — **OpenAI ChatGPT**, **Anthropic Claude**, and **Google Gemini**. These API-based integrations give security teams agentless visibility into posture, data, and compliance risks across their organization’s use of generative AI.  
![Cloudflare CASB showing selection of new findings for ChatGPT, Claude, and Gemini integrations.](https://developers.cloudflare.com/_astro/casb-ai-integrations-preview.B-zsSA1P_Z1wlfJX.webp)  
#### Key capabilities

  * **Agentless connections** — connect ChatGPT, Claude, and Gemini tenants via API; no endpoint software required
  * **Posture management** — detect insecure settings and misconfigurations that could lead to data exposure
  * **DLP detection** — identify sensitive data in uploaded chat attachments or files
  * **GenAI-specific insights** — surface risks unique to each provider’s capabilities  
#### Learn more

  * [ChatGPT integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/openai/)
  * [Claude integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/anthropic/)
  * [Gemini integration docs ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/google-workspace/gemini/)  
These integrations are available to all Cloudflare One customers today.

Aug 26, 2025
1. ### [Manage and restrict access to internal MCP servers with Cloudflare Access](https://developers.cloudflare.com/changelog/post/2025-08-26-access-mcp-oauth/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/).  
[Self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.  
For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog.

Aug 26, 2025
1. ### [MCP server portals](https://developers.cloudflare.com/changelog/post/2025-08-26-mcp-server-portals/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
![MCP server portal](https://developers.cloudflare.com/_astro/mcp-server-portal.BOKqTCoI_ZXYCcF.webp)  
An [MCP server portal](https://developers.cloudflare.com/cloudflare-one/access-controls/ai-controls/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:

  * **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
  * **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.
  * **Observability**: Once the user's AI agent is connected to the portal, Cloudflare Access logs the individual requests made using the tools in the portal.  
This is available in an open beta for all customers across all plans! For more information check out our [blog ↗](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) for this release.

Aug 26, 2025
1. ### [List all vectors in a Vectorize index with the new list-vectors operation](https://developers.cloudflare.com/changelog/post/2025-08-26-vectorize-list-vectors/)  
[ Vectorize ](https://developers.cloudflare.com/vectorize/)  
You can now list all vector identifiers in a Vectorize index using the new `list-vectors` operation. This enables bulk operations, auditing, and data migration workflows through paginated requests that maintain snapshot consistency.  
The operation is available via Wrangler CLI and REST API. Refer to the [list-vectors best practices guide](https://developers.cloudflare.com/vectorize/best-practices/list-vectors/) for detailed usage guidance.

Aug 25, 2025
1. ### [Manage and deploy your AI provider keys through Bring Your Own Key (BYOK) with AI Gateway, now powered by Cloudflare Secrets Store](https://developers.cloudflare.com/changelog/post/2025-08-25-secrets-store-ai-gateway/)  
[ Secrets Store ](https://developers.cloudflare.com/secrets-store/)[ AI Gateway ](https://developers.cloudflare.com/ai-gateway/)[ SSL/TLS ](https://developers.cloudflare.com/ssl/)  
Cloudflare Secrets Store is now integrated with AI Gateway, allowing you to store, manage, and deploy your AI provider keys in a secure and seamless configuration through [Bring Your Own Key ↗](https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/). Instead of passing your AI provider keys directly in every request header, you can centrally manage each key with Secrets Store and deploy in your gateway configuration using only a reference, rather than passing the value in plain text.  
You can now create a secret directly from your AI Gateway [in the dashboard ↗](http://dash.cloudflare.com/?to=/:account/ai-gateway) by navigating into your gateway -> **Provider Keys** \-> **Add**.  
![Import repo or choose template](https://developers.cloudflare.com/_astro/add-secret-ai-gateway.B-SIPr6s_jJjDD.webp)  
You can also create your secret with the newly available **ai\_gateway** scope via [wrangler ↗](https://developers.cloudflare.com/workers/wrangler/commands/), the [Secrets Store dashboard ↗](http://dash.cloudflare.com/?to=/:account/secrets-store), or the [API ↗](https://developers.cloudflare.com/api/resources/secrets%5Fstore/).  
Then, pass the key in the request header using its Secrets Store reference:  
```bash  
curl -X POST https://gateway.ai.cloudflare.com/v1/<ACCOUNT_ID>/my-gateway/anthropic/v1/messages \
 --header 'cf-aig-authorization: ANTHROPIC_KEY_1 \
 --header 'anthropic-version: 2023-06-01' \
 --header 'Content-Type: application/json' \
 --data  '{"model": "claude-3-opus-20240229", "messages": [{"role": "user", "content": "What is Cloudflare?"}]}'  
```  
Or, using Javascript:  
```plaintext  
import Anthropic from '@anthropic-ai/sdk';  
const anthropic = new Anthropic({  
 apiKey: "ANTHROPIC_KEY_1",  
 baseURL: "https://gateway.ai.cloudflare.com/v1/<ACCOUNT_ID>/my-gateway/anthropic",  
});  
const message = await anthropic.messages.create({  
 model: 'claude-3-opus-20240229',  
 messages: [{role: "user", content: "What is Cloudflare?"}],  
 max_tokens: 1024  
});  
```  
For more information, check out the [blog ↗](https://blog.cloudflare.com/ai-gateway-aug-2025-refresh)!

Aug 25, 2025
1. ### [New DLP topic based detection entries for AI prompt protection](https://developers.cloudflare.com/changelog/post/2025-08-25-ai-prompt-protection/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You now have access to a comprehensive suite of capabilities to secure your organization's use of generative AI. AI prompt protection introduces four key features that work together to provide deep visibility and granular control.

  1. **Prompt Detection for AI Applications**  
DLP can now natively detect and inspect user prompts submitted to popular AI applications, including **Google Gemini**, **ChatGPT**, **Claude**, and **Perplexity**.

  1. **Prompt Analysis and Topic Classification**  
Our DLP engine performs deep analysis on each prompt, applying [topic classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics). These topics are grouped into two evaluation categories:

  * **Content:** PII, Source Code, Credentials and Secrets, Financial Information, and Customer Data.
  * **Intent:** Jailbreak attempts, requests for malicious code, or attempts to extract PII.  
To help you apply these topics quickly, we have also released five new predefined profiles (for example, AI Prompt: AI Security, AI Prompt: PII) that bundle these new topics.  
![DLP](https://developers.cloudflare.com/_astro/ai-prompt-detection-entry.4QmdkAuv_Z14HtSJ.webp)  
  1. **Granular Guardrails**  
  You can now build guardrails using Gateway HTTP policies with [application granular controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#granular-controls). Apply a DLP profile containing an [AI prompt topic detection](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics) to individual AI applications (for example, `ChatGPT`) and specific user actions (for example, `SendPrompt`) to block sensitive prompts.  
  ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-policy.CF3H2rbK_2muoEC.webp)
  2. **Full Prompt Logging**  
  To aid in incident investigation, an optional setting in your Gateway policy allows you to [capture prompt logs](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content) to store the full interaction of prompts that trigger a policy match. To make investigations easier, logs can be filtered by `conversation_id`, allowing you to reconstruct the full context of an interaction that led to a policy violation.  
  ![DLP](https://developers.cloudflare.com/_astro/ai-prompt-log.ywQDc5qN_2v6nax.webp)  
AI prompt protection is now available in open beta. To learn more about it, read the [blog ↗](https://blog.cloudflare.com/ai-prompt-protection/#closing-the-loop-logging) or refer to [AI prompt topics](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/#ai-prompt-topics).

Aug 25, 2025
1. ### [WAF Release - 2025-08-25](https://developers.cloudflare.com/changelog/post/2025-08-25-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  

**This week's update**  
This week, critical vulnerabilities were disclosed that impact widely used open-source infrastructure, creating high-risk scenarios for code execution and operational disruption.

**Key Findings**

  * Apache HTTP Server – Code Execution (CVE-2024-38474): A flaw in Apache HTTP Server allows attackers to achieve remote code execution, enabling full compromise of affected servers. This vulnerability threatens the confidentiality, integrity, and availability of critical web services.
  * Laravel (CVE-2024-55661): A security flaw in Laravel introduces the potential for remote code execution under specific conditions. Exploitation could provide attackers with unauthorized access to application logic and sensitive backend data.

**Impact**  
These vulnerabilities pose severe risks to enterprise environments and open-source ecosystems. Remote code execution enables attackers to gain deep system access, steal data, disrupt services, and establish persistent footholds for broader intrusions. Given the widespread deployment of Apache HTTP Server and Laravel in production systems, timely patching and mitigation are critical.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                           | Previous Action | New Action | Comments                                                                                                                            |
| -------------------------- | ----------- | -------------- | --------------------------------------------------------------------- | --------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...28050359 | 100822\_BETA   | WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058 | N/A             | Disabled   | This was merged in to the original rule "WordPress:Plugin:WPBookit - Remote Code Execution - CVE:CVE-2025-6058" (ID: ...194f7b2d  ) |
| Cloudflare Managed Ruleset | ...3bdcdbad | 100831         | Apache HTTP Server - Code Execution - CVE:CVE-2024-38474              | Log             | Disabled   | This is a New Detection                                                                                                             |
| Cloudflare Managed Ruleset | ...02eaac5b | 100846         | Laravel - Remote Code Execution - CVE:CVE-2024-55661                  | Log             | Disabled   | This is a New Detection                                                                                                             |

Aug 25, 2025
1. ### [Content type returned in Workers Assets for Javascript files is now \`text/javascript\`](https://developers.cloudflare.com/changelog/post/2025-08-25-workers-assets-javascript-content-type/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
JavaScript asset responses have been updated to use the `text/javascript` Content-Type header instead of `application/javascript`. While both MIME types are widely supported by browsers, the HTML Living Standard explicitly recommends `text/javascript` as the preferred type going forward.  
This change improves:

  * Standards alignment: Ensures consistency with the HTML spec and modern web platform guidance.
  * Interoperability: Some developer tools, validators, and proxies expect text/javascript and may warn or behave inconsistently with application/javascript.
  * Future-proofing: By following the spec-preferred MIME type, we reduce the risk of deprecation warnings or unexpected behavior in evolving browser environments.
  * Consistency: Most frameworks, CDNs, and hosting providers now default to text/javascript, so this change matches common ecosystem practice.  
Because all major browsers accept both MIME types, this update is backwards compatible and should not cause breakage.  
Users will see this change on the next deployment of their assets.

Aug 22, 2025
1. ### [Workers KV completes hybrid storage provider rollout for improved performance, fault-tolerance](https://developers.cloudflare.com/changelog/post/2025-08-22-kv-performance-improvements/)  
[ KV ](https://developers.cloudflare.com/kv/)  
Workers KV has completed rolling out performance improvements across all KV namespaces, providing a significant latency reduction on read operations for all KV users. This is due to architectural changes to KV's underlying storage infrastructure, which introduces a new metadata later and substantially improves redundancy.  
![Workers KV latency improvements showing P95 and P99 performance gains in Europe, Asia, Africa and Middle East regions as measured within KV's internal storage gateway worker.](https://developers.cloudflare.com/_astro/kv-hybrid-providers-performance-improvements.D6MBO22S_2ok8qE.webp)  
#### Performance improvements  
The new hybrid architecture delivers substantial latency reductions throughout Europe, Asia, Middle East, Africa regions. Over the past 2 weeks, we have observed the following:

  * **p95 latency**: Reduced from \~150ms to \~50ms (67% decrease)
  * **p99 latency**: Reduced from \~350ms to \~250ms (29% decrease)

Aug 22, 2025
1. ### [Audit logs (version 2) - Logpush Beta Release](https://developers.cloudflare.com/changelog/post/2025-08-22-audit-logs-v2-logpush/)  
[ Audit Logs ](https://developers.cloudflare.com/fundamentals/account/account-security/review-audit-logs/)  
[Audit Logs v2 dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/audit%5Flogs%5Fv2/) is now available via Logpush.  
This expands on earlier releases of Audit Logs v2 in the [API](https://developers.cloudflare.com/changelog/2025-03-27-automatic-audit-logs-beta-release/) and [Dashboard UI](https://developers.cloudflare.com/changelog/2025-07-29-audit-logs-v2-ui-beta/).  
We recommend creating a new Logpush job for the Audit Logs v2 dataset.  
Timelines for General Availability (GA) of Audit Logs v2 and the retirement of Audit Logs v1 will be shared in upcoming updates.  
For more details on Audit Logs v2, refer to the [Audit Logs documentation ↗](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/).

Aug 22, 2025
1. ### [Dedicated Egress IP for Logpush](https://developers.cloudflare.com/changelog/post/2025-08-22-dedicated-egress-ip-logpush/)  
[ Logs ](https://developers.cloudflare.com/logs/)  
Cloudflare Logpush can now deliver logs from using fixed, dedicated egress IPs. By routing Logpush traffic through a Cloudflare zone enabled with [Aegis IP](https://developers.cloudflare.com/smart-shield/configuration/dedicated-egress-ips/), your log destination only needs to allow Aegis IPs making setup more secure.  
Highlights:

  * Fixed egress IPs ensure your destination only accepts traffic from known addresses.
  * Works with any supported Logpush destination.
  * Recommended to use a dedicated zone as a proxy for easier management.  
To get started, work with your Cloudflare account team to provision Aegis IPs, then configure your Logpush job to deliver logs through the proxy zone. For full setup instructions, refer to the [Logpush documentation](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/egress-ip/).

Aug 22, 2025
1. ### [WAF Release - 2025-08-22](https://developers.cloudflare.com/changelog/post/2025-08-22-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                     | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...5fcca5c8 | 100850         | Command Injection - Generic 2                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...744305c4 | 100851         | Remote Code Execution - Java Deserialization    | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2b083459 | 100852         | Command Injection - Generic 3                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...efb7e5b9 | 100853         | Remote Code Execution - Common Bash Bypass Beta | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...78513ad7 | 100854         | XSS - Generic JavaScript                        | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...e9a5daac | 100855         | Command Injection - Generic 4                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...480f6093 | 100856         | PHP Object Injection                            | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...d4ae0a33 | 100857         | Generic - Parameter Fuzzing                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1121ee45 | 100858         | Code Injection - Generic 4                      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...20de01e3 | 100859         | SQLi - UNION - 2                                | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...c0177e21 | 100860         | Command Injection - Generic 5                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...85f4d7b3 | 100861         | Command Execution - Generic                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...3fa8ee7f | 100862         | GraphQL Injection - 2                           | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...c7a41d4b | 100863         | Command Injection - Generic 6                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...65e3c165 | 100864         | Code Injection - Generic 2                      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...161aafdc | 100865         | PHP Object Injection - 2                        | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1cc3c3f8 | 100866         | SQLi - LIKE 2                                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...48ac2221 | 100867         | SQLi - DROP - 2                                 | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1f4eec13 | 100868         | Code Injection - Generic 3                      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2755f99e | 100869         | Command Injection - Generic 7                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...413592e2 | 100870         | Command Injection - Generic 8                   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...d2dd41b5 | 100871         | SQLi - LIKE 3                                   | N/A             | Disabled   | This is a New Detection |

Aug 22, 2025
1. ### [Build durable multi-step applications in Python with Workflows (now in beta)](https://developers.cloudflare.com/changelog/post/2025-08-22-workflows-python-beta/)  
[ Workflows ](https://developers.cloudflare.com/workflows/)[ Workers ](https://developers.cloudflare.com/workers/)  
You can now build [Workflows](https://developers.cloudflare.com/workflows/) using Python. With Python Workflows, you get automatic retries, state persistence, and the ability to run multi-step operations that can span minutes, hours, or weeks using Python’s familiar syntax and the [Python Workers](https://developers.cloudflare.com/workers/languages/python/) runtime.  
Python Workflows use the same step-based execution model as JavaScript Workflows, but with Python syntax and access to Python’s ecosystem. Python Workflows also enable [DAG (Directed Acyclic Graph) workflows](https://developers.cloudflare.com/workflows/python/dag/), where you can define complex dependencies between steps using the depends parameter.  
Here’s a simple example:

**Python**  
```python  
from workers import Response, WorkflowEntrypoint  
class PythonWorkflowStarter(WorkflowEntrypoint):  
    async def run(self, event, step):  
        @step.do("my first step")  
        async def my_first_step():  
            # do some work  
            return "Hello Python!"  
        await my_first_step()  
        await step.sleep("my-sleep-step", "10 seconds")  
        @step.do("my second step")  
        async def my_second_step():  
            # do some more work  
            return "Hello again!"  
        await my_second_step()  
class Default(WorkerEntrypoint):  
    async def fetch(self, request):  
        await self.env.MY_WORKFLOW.create()  
        return Response("Hello Workflow creation!")  
```  
Note  
Python Workflows requires a `compatibility_date = "2025-08-01"`, or lower, in your wrangler toml file.  
Python Workflows support the same core capabilities as JavaScript Workflows, including sleep scheduling, event-driven workflows, and built-in error handling with configurable retry policies.  
To learn more and get started, refer to [Python Workflows documentation](https://developers.cloudflare.com/workflows/python/).

Aug 21, 2025
1. ### [WARP client for Windows (version 2025.6.1400.0)](https://developers.cloudflare.com/changelog/post/2025-08-21-warp-windows-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains a hotfix for pre-login for multi-user for the 2025.6.1135.0 release.

**Changes and improvements**

  * Fixes an issue where new pre-login registrations were not being properly created.

**Known issues**

  * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution.
  * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server).
  * Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later.
  * DNS resolution may be broken when the following conditions are all true:

    * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    * A custom DNS server address is configured on the primary network adapter.
    * The custom DNS server address on the primary network adapter is changed while WARP is connected.  
  To work around this issue, please reconnect the WARP client by toggling off and back on.

Aug 21, 2025
1. ### [New getByName() API to access Durable Objects](https://developers.cloudflare.com/changelog/post/2025-08-21-durable-objects-get-by-name/)  
[ Durable Objects ](https://developers.cloudflare.com/durable-objects/)[ Workers ](https://developers.cloudflare.com/workers/)  
You can now create a client (a [Durable Object stub](https://developers.cloudflare.com/durable-objects/api/stub/)) to a Durable Object with the new `getByName` method, removing the need to convert Durable Object names to IDs and then create a stub.

**JavaScript**  
```js  
// Before: (1) translate name to ID then (2) get a client  
const objectId = env.MY_DURABLE_OBJECT.idFromName("foo"); // or .newUniqueId()  
const stub = env.MY_DURABLE_OBJECT.get(objectId);  
// Now: retrieve client to Durable Object directly via its name  
const stub = env.MY_DURABLE_OBJECT.getByName("foo");  
// Use client to send request to the remote Durable Object  
const rpcResponse = await stub.sayHello();  
```  
Each Durable Object has a globally-unique name, which allows you to send requests to a specific object from anywhere in the world. Thus, a Durable Object can be used to coordinate between multiple clients who need to work together. You can have billions of Durable Objects, providing isolation between application tenants.  
To learn more, visit the Durable Objects [API Documentation](https://developers.cloudflare.com/durable-objects/api/namespace/#getbyname) or the [getting started guide](https://developers.cloudflare.com/durable-objects/get-started/).

Aug 21, 2025
1. ### [Gateway BYOIP Dedicated Egress IPs now available.](https://developers.cloudflare.com/changelog/post/2025-08-21-byoip-dedicated-egress-ip/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs.  
Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic.  
Get started by following the [BYOIP onboarding process](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** \> **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu.  
![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](https://developers.cloudflare.com/_astro/Gateway-byoip-dedicated-egress-ips.D0pzLAbV_8yK6N.webp)  
For more information, refer to [BYOIP for dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip).

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/27/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/27/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
