Cloudflare Release Notes

Follow

1197 release notes curated from 12 sources by the Releasebot Team. Last updated: Jul 3, 2026

Get this feed:

Cloudflare Products (12)

  • Jul 3, 2026
    • Date parsed from source:
      Jul 3, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Developer Platform by Cloudflare

    Workers - Simpler runtime types with @cloudflare/workers-types v5

    Developer Platform ships version 5 of @cloudflare/workers-types, simplifying runtime types to latest compatibility flags and adding experimental and latest entrypoints while removing dated entrypoints.

    We have released version 5 of @cloudflare/workers-types. This release simplifies the package to expose only the latest runtime types.

    We still recommend that you generate types for your Worker using wrangler types, but if you want to use the package directly, you can install it with your package manager of choice:

    npm i -D @cloudflare/workers-types@latest
    yarn add -D @cloudflare/workers-types@latest
    pnpm add -D @cloudflare/workers-types@latest
    bun add -d @cloudflare/workers-types@latest
    

    The package now exposes two entrypoints:

    @cloudflare/workers-types reflects the latest compatibility date, using the latest stable compatibility flags.

    @cloudflare/workers-types/experimental reflects APIs behind experimental compatibility flags.

    The dated entrypoints, such as @cloudflare/workers-types/2022-11-30 and @cloudflare/workers-types/2023-03-01, are removed. With runtime type generation in Wrangler v4, you can generate these with the wrangler types command to create types locked to your Worker's compatibility date.

    For more information, refer to TypeScript language support.

    Original source
  • Jul 2, 2026
    • Date parsed from source:
      Jul 2, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Application Performance by Cloudflare

    Cache - Cache multiple versions of a URL with Vary

    Application Performance adds Vary support in Cache Rules, letting Cloudflare cache multiple versions of the same URL based on origin Vary headers. It improves cache hits, preserves correct content negotiation, and works across all plans with normalize, passthrough, or bypass handling.

    Your origin can serve different responses for the same URL — different languages based on Accept-Language, or different formats based on Accept — by returning a Vary response header. Cloudflare's cache now honors that header directly in Cache Rules, so the same URL can hold multiple cached versions and each request is matched to the right one. Content that previously had to bypass cache to stay correct can now be cached, following standard HTTP caching behavior.

    What changed

    Your origin now decides which request headers matter by listing them in its Vary response, and you control how Cloudflare treats each one. When you have enabled Vary using a cache rule and a response includes a Vary header, the request headers listed become part of the cache key.

    For each header your origin varies on, choose one of three actions:

    Action
    Behavior
    Best for

    • normalize
      Converts equivalent header values to the same cache key value before matching, collapsing redundant versions.
      Most Accept, Accept-Language, and Accept-Encoding use cases.

    • passthrough
      Uses the raw header value to select the cached version and forwards it to the origin unchanged.
      When byte-for-byte differences in the header value should create versions.

    • bypass
      Bypasses cache whenever this header name appears in the origin's Vary response.
      Per-user values, or headers with too many possible values to cache safely.

    Benefits

    Higher cache hit ratios: normalize treats semantically equivalent headers as one version. For example, Accept-Language: en-US, fr;q=0.8 and Accept-Language: fr;q=0.8, en-GB both resolve to the same cache key, so you serve more requests from cache instead of the origin.

    Correct content negotiation: Requests always receive the cached version that matches their headers, so language and format variants stay accurate.

    No origin or Worker changes required: If your origin already sends Vary, you configure the behavior entirely in Cache Rules.

    Standards-aligned: Cache key calculation follows RFC 9111, and Vary: * continues to bypass cache as required by RFC 9110.

    Availability

    Vary in Cache Rules is available on all plans (Free, Pro, Business, and Enterprise). For per-request control in Workers subrequests, use the cf.vary property.

    Get started

    Configure Vary in the Cloudflare dashboard under Caching > Cache Rules, or through the Rulesets API. To learn how Vary affects cache keys and how each action works, refer to Vary and the Cache Rules Vary setting.

    Original source
  • All of your release notes in one feed

    Join Releasebot and get updates from Cloudflare and hundreds of other software products.

    Create account
  • Jul 2, 2026
    • Date parsed from source:
      Jul 2, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Cloudflare One by Cloudflare

    Cloudflare One - Hostname routing for Cloudflare Mesh

    Cloudflare One adds hostname routes for Cloudflare Mesh nodes, letting teams attract traffic by name instead of CIDR ranges. It supports private and public hostnames, simplifying access to internal apps and egress through a node without running a DNS server.

    You can now add hostname routes to a Cloudflare Mesh node, in addition to CIDR routes.

    Client device

    Requests wiki.internal.local

    DNS query ↓

    Cloudflare Gateway

    Returns a token IP, then rewrites the destination to the real private
    IP.

    100.80.0.0/16

    Hostname route ↓

    Mesh node

    Forwards traffic to the host on the local network

    Private host

    wiki.internal.local · 10.0.0.50

    Instead of managing IP ranges, you can attract traffic for a hostname to a Mesh node:

    Private hostname (for example, wiki.internal.local) — reach an internal application by name, which is useful when it has an unknown or ephemeral IP. On Mesh you do not need to run a DNS server; a local hosts-file entry on the node is enough, or you can use a Gateway resolver policy for split DNS.

    Public hostname (for example, www.example.com) — route that hostname's traffic through the node and egress via the node's public IP.

    Go to Mesh

    For setup steps, prerequisites, and DNS options, refer to Hostname routes.

    Original source
  • Jul 2, 2026
    • Date parsed from source:
      Jul 2, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Developer Platform by Cloudflare

    AI Search - Manage AI Search sync jobs with Wrangler CLI

    Developer Platform adds Wrangler commands for AI Search sync jobs, letting users create, list, inspect, cancel, and view logs for index refresh jobs from CI/CD and automated pipelines.

    When you connect a data source to your AI Search instance, AI Search runs sync jobs to keep your index up to date with your content. You can now manage those jobs directly from Wrangler.

    For example, you can trigger a sync job from your CI/CD or automated pipelines with the jobs create command so your index refreshes when you push a change:

    wrangler ai-search jobs create my-instance
    

    This creates an asynchronous sync job that checks for changes in your data source, and sends new, modified, or deleted files to be indexed.

    The following commands are available:

    Command Description wrangler ai-search jobs create Trigger a new sync job wrangler ai-search jobs list List sync jobs for an instance wrangler ai-search jobs get Get details for a job wrangler ai-search jobs cancel Cancel a running job wrangler ai-search jobs logs View log entries for a job

    All commands accept --namespace/-n (defaults to default) and --json for structured output that automation and AI agents can parse directly. The list and logs commands also support --page and --per-page for pagination, and cancel prompts for confirmation unless you pass -y/--force.

    For full usage details, refer to the AI Search Wrangler commands documentation.

    Original source
  • Jul 2, 2026
    • Date parsed from source:
      Jul 2, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Developer Platform by Cloudflare

    Workers - Work across multiple accounts with Wrangler auth profiles

    Developer Platform adds Wrangler CLI auth profiles for named, directory-scoped Cloudflare logins that automatically switch by folder. Users can separate client, staging, and production access, run commands with --profile, and pair profiles with account_id for safer account targeting.

    Wrangler CLI now supports auth profiles: named logins that you scope to specific Cloudflare accounts and switch between automatically, based on the directory you are working in.

    A profile is a named OAuth login bound to a directory. Commands run in that directory, and its subdirectories, use the matching account — so you can move between accounts without re-running wrangler login.

    Use profiles to keep a separate login for each client when working at an agency, or to separate staging and production into different accounts. Pair a profile with an account_id in your Wrangler configuration file so a command cannot reach the wrong account.

    Create a profile for each account, choosing which accounts it can reach

    wrangler auth create client-a
    wrangler auth activate client-a ~/clients/client-a
    wrangler auth create client-b
    wrangler auth activate client-b ~/clients/client-b
    

    Use the --profile flag to run a single command with a specific profile:

    wrangler deploy --profile personal
    

    In CI and other automated environments, CLOUDFLARE_API_TOKEN still takes precedence over all profiles.

    For setup, the resolution order, and the full command reference, refer to Authentication profiles.

    Original source
  • Similar to Cloudflare with recent updates:

  • Jul 2, 2026
    • Date parsed from source:
      Jul 2, 2026
    • First seen by Releasebot:
      Jul 2, 2026
    Cloudflare logo

    Cloudflare AI by Cloudflare

    Manage AI Search sync jobs with Wrangler CLI

    Cloudflare AI adds Wrangler support for AI Search sync jobs, letting teams trigger, list, inspect, cancel, and view logs for index refreshes from CI/CD or automation. It also adds JSON output and pagination options for easier scripting and agent workflows.

    When you connect a data source to your AI Search instance, AI Search runs sync jobs to keep your index up to date with your content. You can now manage those jobs directly from Wrangler.

    For example, you can trigger a sync job from your CI/CD or automated pipelines with the jobs create command so your index refreshes when you push a change:

    Terminal window
    wrangler ai-search jobs create my-instance
    

    This creates an asynchronous sync job that checks for changes in your data source, and sends new, modified, or deleted files to be indexed. The following commands are available:

    Command Description wrangler ai-search jobs create Trigger a new sync job wrangler ai-search jobs list List sync jobs for an instance wrangler ai-search jobs get Get details for a job wrangler ai-search jobs cancel Cancel a running job wrangler ai-search jobs logs View log entries for a job

    All commands accept --namespace / -n (defaults to default) and --json for structured output that automation and AI agents can parse directly. The list and logs commands also support --page and --per-page for pagination, and cancel prompts for confirmation unless you pass -y / --force.

    For full usage details, refer to the AI Search Wrangler commands documentation.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Cloudflare AI by Cloudflare

    Reduced end-to-end latency for vector changes

    Cloudflare AI improves Vectorize write-ahead log throughput, cutting vector update latency so inserts, upserts, and deletes become queryable much faster. Median latency drops from 2 minutes to under 30 seconds, with p99 under 2 minutes, boosting freshness for search and RAG workloads.

    We have greatly improved the throughput of the Vectorize write-ahead log (WAL). As a result, we have significantly reduced the end-to-end latency for a vector change to become queryable: median latency has dropped from 2 minutes to under 30 seconds, and p99 latency from 5 minutes to under 2 minutes.

    This means inserts, upserts, and deletes are reflected in query results faster, improving the freshness of semantic search, recommendation, and retrieval-augmented generation (RAG) workloads. You do not need to change your code or configuration to benefit from this improvement.

    For more information, refer to the Vectorize documentation.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Cloudflare One by Cloudflare

    Cloudflare One Client - Cloudflare One Client for Linux (version 2026.6.836.0)

    Cloudflare One adds a new GA Linux Cloudflare One Client release on the stable downloads page, fixing RPM packaging so each OS version gets the correct build and required dependencies. Debian and Ubuntu are unaffected, and RPM users on 2026.6.822.0 are advised to refresh repository settings.

    A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.

    This package is the same release as 2026.6.822.0, with a fix for our RPM package. Previously the repository served a single build to every OS version, so an install could pull a dependency that isn't available on that release. The repository now serves the correct build for each operating system version, so installs automatically pull the dependencies that version requires. Debian and Ubuntu were not affected.

    If you installed version 2026.6.822.0 on an RPM-based distribution, we recommend refreshing your repository configuration:

    sudo curl -fsSL https://pkg.cloudflareclient.com/cloudflare-warp-ascii.repo | sudo tee /etc/yum.repos.d/cloudflare-warp.repo
    sudo dnf clean all
    sudo dnf install cloudflare-warp
    
    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Cloudflare One by Cloudflare

    Access - Fix redirect URL fragment encoding for single-page applications

    Cloudflare One fixes Access redirects so URL fragment characters are preserved after login, keeping single-page app navigation intact and preventing broken routes without any configuration changes.

    Access now correctly preserves URL fragment characters (/, ?, =, &, ;) when redirecting users back to an application after login. Previously, these characters were encoded with encodeURIComponent, which mangled fragment-based routes used by single-page applications (SPAs).

    For example, an SPA URL like https://app.example.com/#/dashboard?tab=settings&view=advanced would previously redirect to a broken URL after login. This is now handled correctly.

    If your SPA users were experiencing broken navigation after authenticating through Access, this fix resolves the issue without any configuration changes.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Cloudflare One by Cloudflare

    Access - Independent MFA for infrastructure applications

    Cloudflare One adds independent MFA for SSH connections using YubiKey PIV keys, bringing hardware-backed protection, per-app and per-policy controls, and configurable re-authentication timing for infrastructure access.

    Access for Infrastructure now supports independent multi-factor authentication (MFA) for SSH connections using YubiKey PIV keys. This adds a hardware-backed second factor to SSH access, ensuring that a compromised device session alone is not sufficient to reach your servers.

    With per-application and per-policy configuration, you can enforce PIV key authentication for sensitive usernames (for example, root) while applying different requirements for other usernames. You can also set an MFA session duration to control how often users must re-authenticate.

    Enrollment

    Users enroll their YubiKey PIV key through the App Launcher. For enrollment instructions and SSH client setup, refer to Enroll a PIV key for infrastructure apps.

    Configuration

    For setup instructions, refer to Enforce MFA for infrastructure applications.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Developer Platform by Cloudflare

    Containers - Use Google Artifact Registry images with Containers

    Developer Platform adds support for Google Artifact Registry images in Containers, letting users reference fully qualified private images in Wrangler after configuring credentials. Only *-docker.pkg.dev hosts are supported.

    Containers now support Google Artifact Registry images. After you configure credentials, you can use a fully qualified Google Artifact Registry image reference in your Wrangler configuration instead of first pushing the image to Cloudflare Registry.

    Provide the service account email with --gar-email and pipe the service account JSON key through stdin:

    cat <PATH_TO_KEY> | npx wrangler containers registries configure <REGION>-docker.pkg.dev --gar-email=<SERVICE_ACCOUNT_EMAIL> --secret-name=<SECRET_NAME>
    

    wrangler.jsonc

    {
    "$schema": "./node_modules/wrangler/config-schema.json",
    "containers": [
    {
    "image": "<REGION>-docker.pkg.dev/<PROJECT_ID>/<REPOSITORY>/<IMAGE>:<TAG>"
    }
    ]
    }
    

    wrangler.toml

    # Example: us-central1-docker.pkg.dev/my-project/my-repo/my-image:latest
    [[containers]]
    image = "<REGION>-docker.pkg.dev/<PROJECT_ID>/<REPOSITORY>/<IMAGE>:<TAG>"
    

    Only *-docker.pkg.dev hosts are supported. To configure credentials, refer to Use private Google Artifact Registry images.

    For more information, refer to Image management.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Developer Platform by Cloudflare

    Vectorize - Reduced end-to-end latency for vector changes

    Developer Platform improves Vectorize write-ahead log throughput, cutting end-to-end vector query latency so inserts, upserts, and deletes show up faster in search, recommendation, and RAG workloads without any code or config changes.

    We have greatly improved the throughput of the Vectorize write-ahead log (WAL). As a result, we have significantly reduced the end-to-end latency for a vector change to become queryable: median latency has dropped from 2 minutes to under 30 seconds, and p99 latency from 5 minutes to under 2 minutes.

    This means inserts, upserts, and deletes are reflected in query results faster, improving the freshness of semantic search, recommendation, and retrieval-augmented generation (RAG) workloads. You do not need to change your code or configuration to benefit from this improvement.

    For more information, refer to the Vectorize documentation.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Bots - New options to manage AI traffic

    Application Security adds AI crawler controls that let customers manage Search, Agent, and Training traffic separately, including Free plan users. It lets teams block, allow, or limit crawlers by page type, with updated defaults for new domains starting September 15, 2026.

    Not all AI traffic is the same. Now, all customers — including those on the Free plan — can manage AI crawlers based on what they actually do on your site. Cloudflare groups AI traffic into three behaviors you can control independently: Search, Agent, and Training. This lets you keep the automated traffic that sends readers and revenue back to you, while blocking the traffic that only takes from your content.

    Each behavior maps to a real use case. Search covers crawlers that index your content so they can answer questions about it later, where you should expect referral traffic or other equitable compensation in return. Agent covers automated activity acting in real time on a person's behalf, such as chat fetch bots and browser-use agents. Training covers crawlers that take your content to train or fine-tune a model. For each preset you can choose to block on all pages, block only on pages that display ads, or choose not to block.

    Starting September 15, 2026, new domains onboarding to Cloudflare receive updated defaults: Bots classified as Training or as Agent are blocked on pages that display ads, while Search remains allowed. On that date, multi-purpose crawlers that combine Search and Training will be affected by the new defaults to block Training. All customers can opt out of the new defaults at any time before September 15.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Application Security by Cloudflare

    Bots - More visibility into bot traffic with BotBase and Attribution Business Insights

    Application Security introduces BotBase and Attribution Business Insights for Enterprise Bot Management, giving customers a searchable directory of tracked bots and a dashboard to see crawl-to-referral value, bot classifications, and allowed or blocked AI traffic at a glance.

    With Content Independence Day 2026, Enterprise Bot Management customers get two new tools that make bot traffic far easier to see and reason about: BotBase, a searchable directory of every bot Cloudflare tracks, and Attribution Business Insights, a dashboard that shows how much value each crawler sends back to your business.

    BotBase is Cloudflare's directory of all known bots and agents, available directly in the dashboard. It shows how Cloudflare classifies each bot by behavior — Search, Agent, Training, and other categories such as Transact, Data Collection, SEO, and Ads Verification — so you can understand why a given crawler is visiting you. You can search and filter the full catalogue, filter your own traffic down to a single bot to investigate its activity on your zone, and copy any bot's detection ID to target it precisely in Security rules. Every tracked bot in BotBase is also published in Cloudflare Radar's bots and agents directory.

    Attribution Business Insights is built for content owners and business decision-makers who want to know which bots help or harm their business, without reading rule syntax. The dashboard reports crawl-to-referral ratios both site-wide and per bot operator — comparing how often a company crawls your content against how many visitors it actually refers back — over the last 24 hours, 7 days, or 30 days. Each operator is labeled with Cloudflare's updated classification and an action status of Allowed, Blocked, or Partially blocked, giving stakeholders a shared, at-a-glance view of the AI traffic reaching your site.

    Original source
  • Jul 1, 2026
    • Date parsed from source:
      Jul 1, 2026
    • First seen by Releasebot:
      Jul 3, 2026
    Cloudflare logo

    Application Security by Cloudflare

    WAF - WAF Release - 2026-07-01

    Application Security adds targeted coverage for a Fortinet FortiSandbox path traversal flaw and updates the Fake Bing or MSN Bot user-agent rule by changing its action from Block to Disabled.

    This release adds targeted coverage for a path traversal flaw in Fortinet FortiSandbox (CVE-2026-39813) and transitions the Anomaly:Header:User-Agent - Fake Bing or MSN Bot rule action from Block to Disabled.

    Key Findings

    CVE-2026-39813: A path traversal vulnerability in Fortinet FortiSandbox allows remote, unauthenticated attackers to read arbitrary files from the underlying filesystem due to insufficient validation of user-supplied input paths.

    Ruleset

    Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 32075e19b1494117ac5915e8d84c92c9 N/A Fortinet FortiSandbox - Path Traversal - CVE:CVE-2026-39813 Log Block Cloudflare Managed Ruleset ae20608d93b94e97988db1bbc12cf9c8 N/A Anomaly:Header:User-Agent - Fake Bing or MSN Bot Enabled Disabled

    This is a new detection.

    We are changing the action for this rule from BLOCK to Disabled

    Original source
Releasebot

Curated by the Releasebot team

Releasebot is an aggregator of official release notes from hundreds of software vendors and thousands of sources.

Our editorial process involves the manual review and audit of release notes procured with the help of automated systems.