Blog

You can now use CASB webhooks in Cloudflare One to send posture finding instances to external systems such as chat platforms, ticketing systems, SIEMs, SOAR tools, and custom automation services.

This gives security teams a simple way to route CASB posture findings into the tools and workflows they already use for triage and response.

To get started, go to Integrations > Webhooks in the Cloudflare One dashboard to create a webhook destination. After you configure a webhook, open a posture finding instance and select Send webhook to send it.

Key capabilities

• Flexible authentication — Configure destinations using None, Basic Auth, Bearer Auth, Static Headers, or HMAC-Signing.
• Built-in testing — Use Test delivery to send a test request before sending a live finding instance.
• Posture finding workflows — Send posture finding instances directly from the finding details workflow in Cloud & SaaS findings.
• HTTPS destinations — Configure webhook destinations with public https:// URLs.

Learn more

• Configure CASB webhooks in Cloudflare.
• Learn how to manage findings in Cloudflare.

CASB webhooks are now available in Cloudflare One.

The simultaneous open connections limit has been relaxed. Previously, each Worker invocation was limited to six open connections at a time for the entire lifetime of each connection, including while reading the response body. Now, a connection is freed as soon as response headers arrive, so the six-connection limit only constrains how many connections can be in the initial “waiting for headers” phase simultaneously.

Before: New connections are blocked until an earlier connection fully completes

After: New connections can start as soon as response headers arrive

This means Workers can now have many more connections open at the same time without queueing, as long as no more than six are waiting for their initial response. This eliminates the Response closed due to connection limit exception that could previously occur when the runtime canceled stalled connections to prevent deadlocks.

Previously, the runtime used a deadlock avoidance algorithm that watched each open connection for I/O activity. If all six connections appeared idle — even momentarily — the runtime would cancel the least-recently-used connection to make room for new requests. In practice, this heuristic was fragile. For example, when a response used Content-Encoding: gzip, the runtime’s internal decompression created brief gaps between read and write operations. During these gaps, the connection appeared stalled despite being actively read by the Worker. If multiple connections hit these gaps at the same time, the runtime could spuriously cancel a connection that was working correctly. By only counting connections during the waiting-for-headers phase — where the runtime is fully in control and there is no ambiguity about whether the connection is active — this class of bug is eliminated entirely.

Before: Connections could be canceled during brief internal pauses

After: Connections complete normally regardless of internal pauses

You can now use CASB webhooks in Cloudflare One to send posture finding instances to external systems such as chat platforms, ticketing systems, SIEMs, SOAR tools, and custom automation services.

This gives security teams a simple way to route CASB posture findings into the tools and workflows they already use for triage and response.

To get started, go to Integrations > Webhooks in the Cloudflare One dashboard to create a webhook destination. After you configure a webhook, open a posture finding instance and select Send webhook to send it.

Key capabilities

• Flexible authentication — Configure destinations using None, Basic Auth, Bearer Auth, Static Headers, or HMAC-Signing.
• Built-in testing — Use Test delivery to send a test request before sending a live finding instance.
• Posture finding workflows — Send posture finding instances directly from the finding details workflow in Cloud & SaaS findings.
• HTTPS destinations — Configure webhook destinations with public https:// URLs.

Learn more

• Configure CASB webhooks in Cloudflare.
• Learn how to manage findings in Cloudflare.

CASB webhooks are now available in Cloudflare One.

You can now use CASB webhooks in Cloudflare One to send posture finding instances to external systems such as chat platforms, ticketing systems, SIEMs, SOAR tools, and custom automation services.

This gives security teams a simple way to route CASB posture findings into the tools and workflows they already use for triage and response.

To get started, go to Integrations > Webhooks in the Cloudflare One dashboard to create a webhook destination. After you configure a webhook, open a posture finding instance and select Send webhook to send it.

Key capabilities

• Flexible authentication — Configure destinations using None, Basic Auth, Bearer Auth, Static Headers, or HMAC-Signing.
• Built-in testing — Use Test delivery to send a test request before sending a live finding instance.
• Posture finding workflows — Send posture finding instances directly from the finding details workflow in Cloud & SaaS findings.
• HTTPS destinations — Configure webhook destinations with public https:// URLs.

Learn more

• Configure CASB webhooks in Cloudflare.
• Learn how to manage findings in Cloudflare.

CASB webhooks are now available in Cloudflare One.

You can now automate your threat monitoring by setting up custom alerts in your saved views. Instead of manually checking the dashboard for updates, you can subscribe to notifications that trigger whenever new data matches your specific filter sets, like new activity associated to a particular threat actor or spikes in activity within your industry.

Stay ahead of emerging threats

By linking your saved views to the Cloudflare Notifications Center, you can ensure the right information reaches your team at the right time.

• Immediate Alerts: receive real-time notifications the moment a critical event is detected that matches your saved criteria. This is essential for high-priority monitoring, such as tracking active campaigns from specific APT groups.

• Daily Digests: opt for a summarized report delivered once a day. This is ideal for maintaining situational awareness of broader trends, like regional activity shifts or industry-wide threat landscapes, without cluttering your inbox.

How to get started

To set up an alert, go to Application Security > Threat Intelligence > Threat Events. From there:

1. Choose your datasets and apply your desired filters and select Save View (or select an existing one).
2. Open the Manage Saved Views menu.
3. Select Add Alert next to your chosen view to configure your notification preferences in the Cloudflare dashboard.

For more technical details on configuring notifications, refer to the Threat Events documentation.

Cloudflare One’s User Risk Scoring now incorporates direct signals from Gateway DNS traffic patterns. This update allows security teams to automatically elevate a user’s risk score when they visit high-risk or malicious domains, providing a more holistic view of internal threats.

Why this matters

Browsing activity is a primary indicator of potential compromise. By tying Gateway DNS logs to specific users, administrators can now flag individuals interacting with:

• Security threats: Domains associated with malware, phishing, or command-and-control (C2) centers.
• High-risk content: Categories such as questionable content or violence that may violate corporate compliance.

Even if a Gateway policy is set to Block the traffic, the interaction is still captured as a “hit” to ensure the user’s risk profile reflects the attempted activity.

New risk behaviors

Two new behaviors are now available in the dashboard:

• Suspicious Security Domain Visited: Triggers when a user visits a domain in the security threats or security risk categories.
• High risk domain visited: Triggers when a user visits domains categorized as questionable content, violence, or CIPA.

To learn more and get started, refer to the User Risk Scoring documentation.

AI Search now supports four additional Workers AI models across text generation and embedding.

Text generation

GLM-4.7-Flash is a lightweight model from Zhipu AI with a 131,072 token context window, suitable for long-document summarization and retrieval tasks. Qwen3-30B-A3B is a mixture-of-experts model from Alibaba that activates only 3 billion parameters per forward pass, keeping inference fast while maintaining strong response quality.

Embedding

Qwen3-Embedding-0.6B supports up to 4,096 input tokens, making it a good fit for indexing longer text chunks. EmbeddingGemma-300M from Google produces 768-dimension vectors and is optimized for low-latency embedding workloads.

All four models are available without additional provider keys since they run on Workers AI. Select them when creating or updating an AI Search instance in the dashboard or through the API.

For the full list of supported models, refer to Supported models.

AI Search now supports CSS content selectors for website data sources. You can now define which parts of a crawled page are extracted and indexed by specifying CSS selectors paired with URL glob patterns.

Content selectors solve the problem of indexing only relevant content while ignoring navigation, sidebars, footers, and other boilerplate. When a page URL matches a glob pattern, only elements matching the corresponding CSS selector are extracted and converted to Markdown for indexing.

Configure content selectors via the dashboard or API:

curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/ai-search/instances" 
  -H "Authorization: Bearer {api_token}" 
  -H "Content-Type: application/json" 
  -d '{
    "id": "my-ai-search",
    "source": "https://example.com",
    "type": "web-crawler",
    "source_params": {
      "web_crawler": {
        "parse_options": {
          "content_selector": [
            {
              "path": "**/blog/**",
              "selector": "article .post-body"
            }
          ]
        }
      }
    }
  }'

Selectors are evaluated in order, and the first matching pattern wins. You can define up to 10 content selector entries per instance.

For configuration details and examples, refer to the content selectors documentation.

You can now automate your threat monitoring by setting up custom alerts in your saved views. Instead of manually checking the dashboard for updates, you can subscribe to notifications that trigger whenever new data matches your specific filter sets, like new activity associated to a particular threat actor or spikes in activity within your industry.

Stay ahead of emerging threats

By linking your saved views to the Cloudflare Notifications Center, you can ensure the right information reaches your team at the right time.

• Immediate Alerts: receive real-time notifications the moment a critical event is detected that matches your saved criteria. This is essential for high-priority monitoring, such as tracking active campaigns from specific APT groups.

• Daily Digests: opt for a summarized report delivered once a day. This is ideal for maintaining situational awareness of broader trends, like regional activity shifts or industry-wide threat landscapes, without cluttering your inbox.

How to get started

To set up an alert, go to Application Security > Threat Intelligence > Threat Events. From there:

1. Choose your datasets and apply your desired filters and select Save View (or select an existing one).
2. Open the Manage Saved Views menu.
3. Select Add Alert next to your chosen view to configure your notification preferences in the Cloudflare dashboard.

For more technical details on configuring notifications, refer to the Threat Events documentation.

This week’s release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging “OnEvent” handlers within HTTP cookies.

Key Findings

• MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution.

• SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation.

• XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values.

Impact

Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts.