Author: guillaume

This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575).

Key Findings

CVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes

Successful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries.

We strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

You can now export your Requests for Information (RFI) history to a CSV document and customize your dashboard view by choosing how many RFI records to load per page.

Why this matters

These quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently:

• The new CSV export allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry
• With adjustable page density, you can now choose to load more records at once (10, 25 or 50) to scan through history faster

Cloudforce One subscribers can find these new options in Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information.

You can now export your Requests for Information (RFI) history to a CSV document and customize your dashboard view by choosing how many RFI records to load per page.

Why this matters

These quality-of-life updates focus on data portability and dashboard performance, allowing power users to manage high volumes of requests more efficiently:

• The new CSV export allows you to move RFI data into external tools for custom reporting, internal auditing, or cross-referencing with other security projects without manual data entry
• With adjustable page density, you can now choose to load more records at once (10, 25 or 50) to scan through history faster

Cloudforce One subscribers can find these new options in Cloudflare Dashboard > Application Security > Threat Intelligence > Requests for Information.

You can now interact with your Stream video library using new bindings for Workers! This allows customers to upload content to Stream, provision direct uploads, manage videos, and generate signed URLs from a Worker without making authenticated API calls. We’re excited to bring Stream and Workers closer together to empower more programmatic pipelines, tighter integrations, and support generative AI and inference workloads.

Use the Stream binding when you want to:

• Upload videos from URLs or create basic direct upload links for end users
• Generate signed playback tokens without managing signing keys
• Manage video metadata, captions, downloads, and watermarks
• Build video pipelines entirely within Workers

To get started, add the Stream binding to your Wrangler configuration:

• wrangler.jsonc

  {
    "$schema": "./node_modules/wrangler/config-schema.json",
    "stream": {
      "binding": "STREAM"
    }
  }

• wrangler.toml

  [stream]
  binding = "STREAM"

Generate a video with AI and upload directly to Stream or send a URL of a file you already have:

• JavaScript

  const aiResponse = await env.AI.run(
    "google/veo-3.1",
    {
      prompt: "A dog walking next to a river",
      duration: "10s",
      aspect_ratio: "16:9",
      resolution: "1080p",
      generate_audio: true,
    },
    {
      gateway: { id: "experiments" },
    },
  );
  
  // Veo will return a URL of the generated asset.
  const videoUrl = aiResponse.result.video;
  
  // Alternative option: a video of the Austin Office mobile
  // const videoUrl = 'https://pub-d9fcbc1abcd244c1821f38b99017347f.r2.dev/aus-mobile.mp4';
  
  // Upload to Stream by providing a URL
  const streamVideo = await env.STREAM.upload(videoUrl);
  
  // The streamVideo response will include the video ID, playback and manifest
  // URLs, and other information, just like the REST API.

• TypeScript

  const aiResponse = await env.AI.run(
    'google/veo-3.1',
    {
      prompt: 'A dog walking next to a river',
      duration: '10s',
      aspect_ratio: '16:9',
      resolution: '1080p',
      generate_audio: true,
    },
    {
      gateway: { id: 'experiments' },
    },
  );
  
  // Veo will return a URL of the generated asset.
  const videoUrl = aiResponse.result.video;
  
  // Alternative option: a video of the Austin Office mobile
  // const videoUrl = 'https://pub-d9fcbc1abcd244c1821f38b99017347f.r2.dev/aus-mobile.mp4';
  
  // Upload to Stream by providing a URL
  const streamVideo = await env.STREAM.upload(videoUrl);
  
  // The streamVideo response will include the video ID, playback and manifest
  // URLs, and other information, just like the REST API.

Generate a signed URL without using a signing key or an API call:

• JavaScript

  const video_id = "ce800be43a9772f4bb02f35b860fb516";
  const token = await env.STREAM.video(video_id).generateToken();
  
  // Use the "token" in an iframe embed code, manifest URL, or thumbnail:
  const embedUrl = `https://customer-igynxd2rwhmuoxw8.cloudflarestream.com/${token}/iframe`;

• TypeScript

  const video_id = 'ce800be43a9772f4bb02f35b860fb516';
  const token = await env.STREAM.video(video_id).generateToken();
  
  // Use the "token" in an iframe embed code, manifest URL, or thumbnail:
  const embedUrl = `https://customer-igynxd2rwhmuoxw8.cloudflarestream.com/${token}/iframe`;

Get and set video properties easily:

• JavaScript

  const video_id = "46c8b7f480d410840758c1cb14a72e47";
  const result = await env.STREAM.video(video_id).details();
  
  await env.STREAM.video(video_id).update({
    meta: { name: "sample video" },
  });

• TypeScript

  const video_id = '46c8b7f480d410840758c1cb14a72e47';
  const result = await env.STREAM.video(video_id).details();
  
  await env.STREAM.video(video_id).update({
    meta: { name: 'sample video' }
  });

For setup instructions and the full API reference, refer to Bind to Workers API.

Get started with your Agent

Add a binding for Cloudflare Stream (env.STREAM). On the watch page, use the
Stream binding to get info based on the ID, and leverage video.meta.name as
the page title.

This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575).

Key Findings

CVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes

Successful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries.

We strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

Cloudflare Mesh nodes now support IPv6 CIDR routes. You can advertise both IPv4 and IPv6 subnets through your Mesh nodes, making IPv6-only or dual-stack private networks reachable from any enrolled device.

To add an IPv6 route, follow the same steps as adding an IPv4 route — enter the IPv6 CIDR (for example, fd00::/64) when configuring the route in the dashboard or via the API.

Cloudflare Mesh nodes now support IPv6 CIDR routes. You can advertise both IPv4 and IPv6 subnets through your Mesh nodes, making IPv6-only or dual-stack private networks reachable from any enrolled device.

To add an IPv6 route, follow the same steps as adding an IPv4 route — enter the IPv6 CIDR (for example, fd00::/64) when configuring the route in the dashboard or via the API.

Cloudflare Pipelines ingests streaming data via Workers or HTTP endpoints, transforms it with SQL, and writes it to R2 as Apache Iceberg tables. R2 Data Catalog manages those Iceberg tables, compaction, and compatibility with query engines like R2 SQL, Spark, and DuckDB.

You can now create and manage both products using Terraform, supported in the Cloudflare Terraform provider v5.19.0.

This adds four new resources that let you define your entire data pipeline as infrastructure-as-code: a data catalog, a stream for ingestion, a sink that writes to R2 Data Catalog or R2, and a pipeline that connects them with SQL.

The new Terraform resources are:

• cloudflare_r2_data_catalog — enable the data catalog on an R2 bucket
• cloudflare_pipeline_stream — create a stream that receives events via HTTP or Worker bindings
• cloudflare_pipeline_sink — create a sink that writes to R2 Data Catalog or R2
• cloudflare_pipeline — create a pipeline with SQL connecting a stream to a sink

Here is a minimal example that creates a stream, an R2 Data Catalog sink, and a pipeline:

resource "cloudflare_pipeline_stream" "my_stream" {
  account_id = var.cloudflare_account_id
  name       = "my_stream"
  format     = { type = "json" }
  schema = {
    fields = [{
      name     = "value"
      type     = "json"
      required = true
    }]
  }
  http           = { enabled = true, authentication = false, cors = {} }
  worker_binding = { enabled = false }
}

resource "cloudflare_pipeline_sink" "my_sink" {
  account_id = var.cloudflare_account_id
  name       = "my_sink"
  type       = "r2_data_catalog"
  format     = { type = "parquet" }
  schema     = { fields = [] }
  config = {
    account_id = var.cloudflare_account_id
    bucket     = "my-pipeline-bucket"
    table_name = "my_table"
    token      = var.catalog_token
  }
}

resource "cloudflare_pipeline" "my_pipeline" {
  account_id = var.cloudflare_account_id
  name       = "my_pipeline"
  sql        = "INSERT INTO ${cloudflare_pipeline_sink.my_sink.name} SELECT * FROM ${cloudflare_pipeline_stream.my_stream.name}"
}

For a full end-to-end example that includes R2 bucket creation, data catalog setup, and scoped API token provisioning, refer to the Pipelines Terraform documentation.

Cloudflare’s cache now runs on a new proxy built on Pingora, the Rust-based framework that already serves a significant portion of Cloudflare’s network traffic. The new proxy is faster, more memory-safe, and designed to evolve our cache architecture. It delivers immediate performance improvements and enables new caching capabilities.

What this brings

• Lower latency: The new proxy reduces per-request overhead through improved connection reuse.
• Reduced cache MISSes: Enhanced cache retention improves origin offload.
• Better RFC compliance: Caching behavior more closely follows HTTP caching standards.
• Foundation for future features: The new architecture enables upcoming improvements to cache functionality and efficiency.

New features

• Asynchronous stale-while-revalidate: Every request returns stale content immediately while revalidation happens in the background, instead of the first request after expiry blocking on the origin. Refer to the asynchronous stale-while-revalidate changelog for details.
• Unbuffered bypass by default: Responses that bypass cache are streamed directly to the client without buffering, reducing time-to-first-byte for uncacheable content.

Behavioral changes

The new architecture introduces the following behavioral changes to improve RFC compliance and correctness:

• Vary: * results in cache bypass: According to RFC 9110 Section 12.5.5, a Vary header value of * indicates the response varies on factors beyond request headers and must not be served from cache. Cloudflare now bypasses cache for these responses instead of storing them.
• Set-Cookie stripped on MISS and EXPIRED: For cacheable assets, Set-Cookie is now stripped on MISS and EXPIRED responses, not only on HITs.
• Floating-point TTL values: Floating-point time-to-live values (for example, max-age=1.5) are rounded down to the nearest integer instead of being rejected as invalid.

What’s next

A deeper look at the new cache proxy is coming soon to the Cloudflare blog. For background on the underlying framework, read:

• Open sourcing Pingora: our Rust framework for building programmable network services
• How we built Pingora, the proxy that connects Cloudflare to the Internet

You can now navigate, switch context, and take common actions in the Cloudflare dashboard without leaving your keyboard. Press ? anywhere to see the full list. Keyboard shortcuts can be disabled by visiting your profile settings.

Navigate

Take action