Blog

This week’s release introduces new detections for vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340), alongside a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts within the Content-Security-Policy (CSP) HTTP request header.

Key Findings

• CVE-2026-1281 & CVE-2026-1340: Ivanti Endpoint Manager Mobile processes HTTP requests through Apache RevwriteMap directives that pass user-controlled input to Bash scripts (/mi/bin/map-appstore-url and /mi/bin/map-aft-store-url). Bash scripts do not sanitize user input and are vulnerable to shell arithmetic expansion thereby allowing attackers to achieve unauthenticated remote code execution.
• Generic XSS in CSP Header: This rule identifies malicious payloads embedded within the request’s Content-Security-Policy header. It specifically targets scenarios where web frameworks or applications trust and extract values directly from the CSP header in the incoming request without sufficient validation. Attackers can provide crafted header values to inject scripts or malicious directives that are subsequently processed by the server.

Impact

Successful exploitation of Ivanti EPMM vulnerability allows unauthenticated remote code execution and generic XSS in CSP header allows attackers to inject malicious scripts during page rendering. In environments using server-side caching, this poisoned XSS content can subsequently be cached and automatically served to all visitors.

We’re excited to partner with NVIDIA to bring @cf/nvidia/nemotron-3-120b-a12b to Workers AI. NVIDIA Nemotron 3 Super is a Mixture-of-Experts (MoE) model with a hybrid Mamba-transformer architecture, 120B total parameters, and 12B active parameters per forward pass.

The model is optimized for running many collaborating agents per application. It delivers high accuracy for reasoning, tool calling, and instruction following across complex multi-step tasks.

Key capabilities:

• Hybrid Mamba-transformer architecture delivers over 50% higher token generation throughput compared to leading open models, reducing latency for real-world applications
• Tool calling support for building AI agents that invoke tools across multiple conversation turns
• Multi-Token Prediction (MTP) accelerates long-form text generation by predicting several future tokens simultaneously in a single forward pass
• 32,000 token context window for retaining conversation history and plan states across multi-step agent workflows

Use Nemotron 3 Super through the Workers AI binding (env.AI.run()), the REST API, or the OpenAI-compatible endpoint.

For more information, refer to the Nemotron 3 Super model page.

Cloudflare-generated 1xxx errors now return structured JSON when clients send Accept: application/json or Accept: application/problem+json. JSON responses follow RFC 9457 (Problem Details for HTTP APIs), so any HTTP client that understands Problem Details can parse the base members without Cloudflare-specific code.

Breaking change

The Markdown frontmatter field http_status has been renamed to status. Agents consuming Markdown frontmatter should update parsers accordingly.

Changes

JSON format. Clients sending Accept: application/json or Accept: application/problem+json now receive a structured JSON object with the same operational fields as Markdown frontmatter, plus RFC 9457 standard members.

RFC 9457 standard members (JSON only):

• type — URI pointing to Cloudflare documentation for the specific error code
• status — HTTP status code (matching the response status)
• title — short, human-readable summary
• detail — human-readable explanation specific to this occurrence
• instance — Ray ID identifying this specific error occurrence

Field renames:

• http_status -> status (JSON and Markdown)
• what_happened -> detail (JSON only — Markdown prose sections are unchanged)

Content-Type mirroring. Clients sending Accept: application/problem+json receive Content-Type: application/problem+json; charset=utf-8 back; Accept: application/json receives application/json; charset=utf-8. Same body in both cases.

Negotiation behavior

Availability

Available now for Cloudflare-generated 1xxx errors.

Get started

curl -s --compressed -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .

curl -s --compressed -H "Accept: application/problem+json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .

References:

• RFC 9457 — Problem Details for HTTP APIs
• Cloudflare 1xxx error documentation

We’re excited to partner with NVIDIA to bring @cf/nvidia/nemotron-3-120b-a12b to Workers AI. NVIDIA Nemotron 3 Super is a Mixture-of-Experts (MoE) model with a hybrid Mamba-transformer architecture, 120B total parameters, and 12B active parameters per forward pass.

The model is optimized for running many collaborating agents per application. It delivers high accuracy for reasoning, tool calling, and instruction following across complex multi-step tasks.

Key capabilities:

• Hybrid Mamba-transformer architecture delivers over 50% higher token generation throughput compared to leading open models, reducing latency for real-world applications
• Tool calling support for building AI agents that invoke tools across multiple conversation turns
• Multi-Token Prediction (MTP) accelerates long-form text generation by predicting several future tokens simultaneously in a single forward pass
• 32,000 token context window for retaining conversation history and plan states across multi-step agent workflows

Use Nemotron 3 Super through the Workers AI binding (env.AI.run()), the REST API, or the OpenAI-compatible endpoint.

For more information, refer to the Nemotron 3 Super model page.

Cloudflare-generated 1xxx errors now return structured JSON when clients send Accept: application/json or Accept: application/problem+json. JSON responses follow RFC 9457 (Problem Details for HTTP APIs), so any HTTP client that understands Problem Details can parse the base members without Cloudflare-specific code.

Breaking change

The Markdown frontmatter field http_status has been renamed to status. Agents consuming Markdown frontmatter should update parsers accordingly.

Changes

JSON format. Clients sending Accept: application/json or Accept: application/problem+json now receive a structured JSON object with the same operational fields as Markdown frontmatter, plus RFC 9457 standard members.

RFC 9457 standard members (JSON only):

• type — URI pointing to Cloudflare documentation for the specific error code
• status — HTTP status code (matching the response status)
• title — short, human-readable summary
• detail — human-readable explanation specific to this occurrence
• instance — Ray ID identifying this specific error occurrence

Field renames:

• http_status -> status (JSON and Markdown)
• what_happened -> detail (JSON only — Markdown prose sections are unchanged)

Content-Type mirroring. Clients sending Accept: application/problem+json receive Content-Type: application/problem+json; charset=utf-8 back; Accept: application/json receives application/json; charset=utf-8. Same body in both cases.

Negotiation behavior

Availability

Available now for Cloudflare-generated 1xxx errors.

Get started

curl -s --compressed -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .

curl -s --compressed -H "Accept: application/problem+json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .

References:

• RFC 9457 — Problem Details for HTTP APIs
• Cloudflare 1xxx error documentation

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
• Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

• The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client’s operation mode.
• The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
• Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.

This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
• Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

• The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client’s operation mode.
• The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
• Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
• Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support.
• Fixed unnecessary registration deletion caused by RDP connections in multi-user mode.
• Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT.
• Fixed tunnel failing to connect when the system DNS search list contains unexpected characters.
• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
• Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

• The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client.
• An error indicating that Microsoft Edge can’t read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
• The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client’s operation mode.
• The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
• Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.
• For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
• Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.
• DNS resolution may be broken when the following conditions are all true:
  • The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
  • A custom DNS server address is configured on the primary network adapter.
  • The custom DNS server address on the primary network adapter is changed while the client is connected.
    To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.

This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
• Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support.
• Fixed unnecessary registration deletion caused by RDP connections in multi-user mode.
• Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT.
• Fixed tunnel failing to connect when the system DNS search list contains unexpected characters.
• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
• Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

• The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client.
• An error indicating that Microsoft Edge can’t read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
• The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client’s operation mode.
• The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
• Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.
• For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
• Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.
• DNS resolution may be broken when the following conditions are all true:
  • The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
  • A custom DNS server address is configured on the primary network adapter.
  • The custom DNS server address on the primary network adapter is changed while the client is connected.
    To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.

Audit Logs v2 is now generally available to all Cloudflare customers.

Audit Logs v2 provides a unified and standardized system for tracking and recording all user and system actions across Cloudflare products. Built on Cloudflare’s API Shield / OpenAPI gateway, logs are generated automatically without requiring manual instrumentation from individual product teams, ensuring consistency across ~95% of Cloudflare products.

What’s available at GA:

• Standardized logging — Audit logs follow a consistent format across all Cloudflare products, making it easier to search, filter, and investigate activity.
• Expanded product coverage — ~95% of Cloudflare products covered, up from ~75% in v1.
• Granular filtering — Filter by actor, action type, action result, resource, raw HTTP method, zone, and more. Over 20 filter parameters available via the API.
• Enhanced context — Each log entry includes authentication method, interface (API or dashboard), Cloudflare Ray ID, and actor token details.
• 18-month retention — Logs are retained for 18 months. Full history is accessible via the API or Logpush.

Access:

• Dashboard: Go to Manage Account > Audit Logs. Audit Logs v2 is shown by default.
• API: GET https://api.cloudflare.com/client/v4/accounts/{account_id}/logs/audit
• Logpush: Available via the audit_logs_v2 account-scoped dataset.

Important notes:

• Approximately 30 days of logs from the Beta period (back to ~February 8, 2026) are available at GA. These Beta logs will expire on ~April 9, 2026. Logs generated after GA will be retained for the full 18 months. Older logs remain available in Audit Logs v1.
• The UI query window is limited to 90 days for performance reasons. Use the API or Logpush for access to the full 18-month history.
• GET requests (view actions) and 4xx error responses are not logged at GA. GET logging will be selectively re-enabled for sensitive read operations in a future release.
• Audit Logs v1 continues to run in parallel. A deprecation timeline will be communicated separately.
• Before and after values — the ability to see what a value changed from and to — is a highly requested feature and is on our roadmap for a post-GA release. In the meantime, we recommend using Audit Logs v1 for before and after values. Audit Logs v1 will continue to run in parallel until this feature is available in v2.

For more details, refer to the Audit Logs v2 documentation.