Cloudflare One Updates & Release Notes
143 updates curated from 1 source by the Releasebot Team. Last updated: Jul 3, 2026
- Jul 2, 2026
- Date parsed from source:Jul 2, 2026
- First seen by Releasebot:Jul 3, 2026
Cloudflare One - Hostname routing for Cloudflare Mesh
Cloudflare One adds hostname routes for Cloudflare Mesh nodes, letting teams attract traffic by name instead of CIDR ranges. It supports private and public hostnames, simplifying access to internal apps and egress through a node without running a DNS server.
You can now add hostname routes to a Cloudflare Mesh node, in addition to CIDR routes.
Client device
Requests wiki.internal.local
DNS query ↓
Cloudflare Gateway
Returns a token IP, then rewrites the destination to the real private
IP.100.80.0.0/16
Hostname route ↓
Mesh node
Forwards traffic to the host on the local network
↓
Private host
wiki.internal.local · 10.0.0.50
Instead of managing IP ranges, you can attract traffic for a hostname to a Mesh node:
Private hostname (for example, wiki.internal.local) — reach an internal application by name, which is useful when it has an unknown or ephemeral IP. On Mesh you do not need to run a DNS server; a local hosts-file entry on the node is enough, or you can use a Gateway resolver policy for split DNS.
Public hostname (for example, www.example.com) — route that hostname's traffic through the node and egress via the node's public IP.
Go to Mesh
For setup steps, prerequisites, and DNS options, refer to Hostname routes.
Original source - Jul 1, 2026
- Date parsed from source:Jul 1, 2026
- First seen by Releasebot:Jul 3, 2026
Cloudflare One Client - Cloudflare One Client for Linux (version 2026.6.836.0)
Cloudflare One adds a new GA Linux Cloudflare One Client release on the stable downloads page, fixing RPM packaging so each OS version gets the correct build and required dependencies. Debian and Ubuntu are unaffected, and RPM users on 2026.6.822.0 are advised to refresh repository settings.
A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.
This package is the same release as 2026.6.822.0, with a fix for our RPM package. Previously the repository served a single build to every OS version, so an install could pull a dependency that isn't available on that release. The repository now serves the correct build for each operating system version, so installs automatically pull the dependencies that version requires. Debian and Ubuntu were not affected.
If you installed version 2026.6.822.0 on an RPM-based distribution, we recommend refreshing your repository configuration:
Original sourcesudo curl -fsSL https://pkg.cloudflareclient.com/cloudflare-warp-ascii.repo | sudo tee /etc/yum.repos.d/cloudflare-warp.repo sudo dnf clean all sudo dnf install cloudflare-warp All of your release notes in one feed
Join Releasebot and get updates from Cloudflare and hundreds of other software products.
- Jul 1, 2026
- Date parsed from source:Jul 1, 2026
- First seen by Releasebot:Jul 3, 2026
Access - Fix redirect URL fragment encoding for single-page applications
Cloudflare One fixes Access redirects so URL fragment characters are preserved after login, keeping single-page app navigation intact and preventing broken routes without any configuration changes.
Access now correctly preserves URL fragment characters (/, ?, =, &, ;) when redirecting users back to an application after login. Previously, these characters were encoded with encodeURIComponent, which mangled fragment-based routes used by single-page applications (SPAs).
For example, an SPA URL like https://app.example.com/#/dashboard?tab=settings&view=advanced would previously redirect to a broken URL after login. This is now handled correctly.
If your SPA users were experiencing broken navigation after authenticating through Access, this fix resolves the issue without any configuration changes.
Original source - Jul 1, 2026
- Date parsed from source:Jul 1, 2026
- First seen by Releasebot:Jul 3, 2026
Access - Independent MFA for infrastructure applications
Cloudflare One adds independent MFA for SSH connections using YubiKey PIV keys, bringing hardware-backed protection, per-app and per-policy controls, and configurable re-authentication timing for infrastructure access.
Access for Infrastructure now supports independent multi-factor authentication (MFA) for SSH connections using YubiKey PIV keys. This adds a hardware-backed second factor to SSH access, ensuring that a compromised device session alone is not sufficient to reach your servers.
With per-application and per-policy configuration, you can enforce PIV key authentication for sensitive usernames (for example, root) while applying different requirements for other usernames. You can also set an MFA session duration to control how often users must re-authenticate.
Enrollment
Users enroll their YubiKey PIV key through the App Launcher. For enrollment instructions and SSH client setup, refer to Enroll a PIV key for infrastructure apps.
Configuration
For setup instructions, refer to Enforce MFA for infrastructure applications.
Original source - Jun 30, 2026
- Date parsed from source:Jun 30, 2026
- First seen by Releasebot:Jul 3, 2026
Gateway, Cloudflare One, Cloudflare Fundamentals - New permissions and roles for Gateway policies and lists
Cloudflare One adds granular resource-scoped roles for Gateway firewall policies and Zero Trust lists, letting admins delegate access to specific policy types or list management without granting broad account-wide control.
You can now assign granular, resource-scoped roles for Cloudflare Gateway firewall policies and Zero Trust lists. Administrators can delegate access to specific policy types or list management without granting account-wide or product-wide control.
What is new
When you add a member or create a permission policy, the following resource-scoped roles are now available:
Role Description Zero Trust Gateway Firewall Policies Admin Can view and edit all Gateway firewall policies, including DNS, HTTP, and Network policies. Zero Trust Gateway DNS Policies Admin Can view and edit Gateway DNS policies. Zero Trust Gateway HTTP Policies Admin Can view and edit Gateway HTTP policies. Zero Trust Gateway Network Policies Admin Can view and edit Gateway Network policies. Zero Trust Gateway Egress Policies Admin Can view and edit Gateway Egress policies. Zero Trust Gateway Resolver Policies Admin Can view and edit Gateway Resolver policies. Zero Trust Gateway Policies Admin Can view and edit all Gateway policies. Zero Trust Gateway Policies Read Can view all Gateway policies. Zero Trust Gateway Read Only Can view all Gateway resources. Zero Trust DNS Locations Admin Can view and edit DNS locations. Zero Trust Proxy Endpoints Admin Can view and edit Gateway Proxy Endpoints. Zero Trust Account Lists Admin Can view and edit all Gateway and Access lists. Zero Trust Account Lists Read Can view all Gateway and Access lists.These roles allow you to:
- Grant a network engineer write access to Network policies only, without exposing DNS or HTTP policy configuration.
- Allow a security analyst to view all Gateway policies in read-only mode for auditing purposes.
- Delegate list management to a team that maintains block and allow lists without giving them access to policy configuration.
You can also now assign Resource-scoped roles. These roles are complementary to existing account-level roles, and allow you to grant access to a specific resource, like an individual Gateway policy or Cloudflare One list. Existing account-level roles continue to work. A member with the Cloudflare Gateway or Cloudflare Zero Trust role retains full access to all Gateway resources. This ensures backward compatibility for existing automation and API tokens.
Get started
Review the resource-scoped roles on the Cloudflare role reference.
Learn how to create permission policies that use these roles.
Original source Similar to Cloudflare One with recent updates:
- ChatGPT updates185 release notes · Latest Jun 26, 2026
- Gemini updates348 release notes · Latest Jul 1, 2026
- Codex updates193 release notes · Latest Jun 29, 2026
- Cloudflare AI updates112 release notes · Latest Jul 2, 2026
- Claude Code updates383 release notes · Latest Jul 4, 2026
- Claude updates109 release notes · Latest Jul 2, 2026
- Jun 29, 2026
- Date parsed from source:Jun 29, 2026
- First seen by Releasebot:Jun 30, 2026
Cloudflare One Client - Cloudflare One Client for Windows (version 2026.6.822.0)
Cloudflare One adds a GA Windows client release with mandatory authentication, hardware-backed registration, DNSSEC passthrough, dashboard-managed version deployments, and usability fixes across proxy, DNS, and the new UI.
A new GA release for the Windows Cloudflare One Client is now available on the stable releases downloads page.
This release introduces multiple features from our previous beta release into stable release, including:
- The client now applies DNS search suffixes configured in your device profile / network policy. Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See DNS search suffixes for details.
- Added mandatory authentication. When enabled via MDM, the Cloudflare One Client blocks all Internet traffic from the moment the machine boots until the user authenticates, closing the visibility gap on newly deployed devices and during re-authentication. See the announcement blog and documentation for details.
- Upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the TPM (with TPM 2.0+) whenever it is available to provide stronger protection against device impersonation. See Hardware-backed registration for details.
- Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume.
- Added new warp-cli debug commands for interactive connection diagnosis. See Extra debug logging for details.
- The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client.
- Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated Cloudflare One MDM documentation for details.
- Added support for dashboard-managed client version deployments. Administrators can now upgrade or downgrade the client version on enrolled devices directly from the Zero Trust dashboard. See Client version assignments for details.
Additional Changes and improvements
- Client Certificate device-posture checks now support template variables (e.g. ${serial_number}, ${device_uuid}) in the Subject Alternative Name field. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry.
- Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in Windows Accessibility settings.
- Path MTU Discovery (PMTUD) is now enabled by default.
- The UseWebView2 registry value (HKLM\SOFTWARE\Cloudflare\CloudflareWARP\UseWebView2 = y) is once again honored by the new GUI for authentication, so administrators who prefer the embedded WebView2 browser for sign-in can opt back in. This setting was effectively ignored in the previous release; the default browser was always used. This key is now also honored for re-authentications.
- Fixed a crash in the authentication browser when navigating to a site that prompts for browser permissions (microphone, camera, notifications, etc.). The same fix had previously landed for the captive-portal browser; this extends it to the auth browser.
- Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests.
- Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry.
- Fixed a high CPU issue when the device wakes from sleep.
- Users can now register with team names in any case format without errors.
New UI fixes
- Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication.
- Added a re-auth button and banner to the home screen so users don't miss it when their session expires.
- Added clear error messaging when the Cloudflare certificate needs to be installed.
- Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users.
- New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration.
- Added ability to configure proxy mode for consumer users.
- Added back the option to quit for consumer users.
Known issues
- An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
- In rare cases, a registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
- Windows ARM may prompt the user to close running applications while trying to install this version. Simply click "Ok" with the default highlighted option.
- Jun 29, 2026
- Date parsed from source:Jun 29, 2026
- First seen by Releasebot:Jun 30, 2026
- Modified by Releasebot:Jul 3, 2026
Cloudflare One Client - Cloudflare One Client for macOS (version 2026.6.822.0)
Cloudflare One releases a major macOS Client GA update with stronger security, expanded DNS handling, emergency disconnect options, new debug tools, dashboard-managed version control, and a refreshed UI. It also adds fixes for captive portal, proxy, and DNS reliability issues.
A new GA release for the macOS Cloudflare One Client is now available on the stable releases downloads page.
This release introduces multiple features from our previous beta release into stable release, including:
- The client now applies DNS search suffixes configured in your device profile / network policy. Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See DNS search suffixes for details.
- Upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the Secure Enclave whenever available to provide stronger protection against device impersonation. See Hardware-backed registration for details.
- Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume.
- Added new warp-cli debug commands for interactive connection diagnosis. See Extra debug logging for details.
- The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client.
- Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated Cloudflare One MDM documentation for details.
- Added support for dashboard-managed client version deployments. Administrators can now upgrade or downgrade the client version on enrolled devices directly from the Zero Trust dashboard. See Client version assignments for details.
Additional Changes and improvements
- Starting with 2026.6.822.0, the client unifies all API requests under the api.devices.cloudflare.com SNI, where previously both zero-trust-client.cloudflareclient.com and notifications.cloudflareclient.com were used. Review Cloudflare One Client with firewall to ensure systems that rely on SNI inspection do not block the API traffic. The behavior of previous client versions is unaffected.
- Client Certificate device-posture checks now support template variables (e.g. ${serial_number}, ${device_uuid}) in the Subject Alternative Name field. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry.
- Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in the macOS Display settings.
- Path MTU Discovery (PMTUD) is now enabled by default.
- Fixed the in-client captive-portal browser rendering a blank "Success" page on some airline Wi-Fi networks. The browser now more consistently loads the airline's real portal page so users can complete sign-in from inside the client instead of having to open a separate browser.
- Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests.
- Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry.
- Users can now register with team names in any case format without errors.
New UI fixes
- Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication.
- Added a re-auth button and banner to the home screen so users don't miss it when their session expires.
- Added clear error messaging when the Cloudflare certificate needs to be installed.
- Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users.
- New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration.
- Added ability to configure proxy mode for consumer users.
- Added back the option to quit for consumer users.
Known issues
- Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
- Jun 29, 2026
- Date parsed from source:Jun 29, 2026
- First seen by Releasebot:Jun 30, 2026
- Modified by Releasebot:Jul 3, 2026
Cloudflare One Client - Cloudflare One Client for Linux (version 2026.6.822.0)
Cloudflare One releases a major Linux client GA update with DNS search suffixes, hardware-backed device registration, Emergency Disconnect file support, new warp-cli debug tools, DNSSEC passthrough, and a new MDM format, plus UI, accessibility, proxy, and connectivity fixes.
A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.
This release introduces multiple features from our previous beta release into stable release, including:
- The client now applies DNS search suffixes configured in your device profile / network policy. Administrators can push a list of DNS search domains that the client appends to single-label queries, alongside any system-configured suffixes. See DNS search suffixes for details.
- Upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the TPM (with TPM 2.0+) whenever it is available to provide stronger protection against device impersonation. See Hardware-backed registration for details.
- Added a local-file signal source for Emergency Disconnect. In addition to the existing HTTPS polling mechanism, administrators can now configure WARP to monitor for a file on disk; the presence of the file triggers an emergency disconnect even if both Cloudflare and your own infrastructure are unreachable. Either signal being asserted triggers disconnect; both must be cleared for normal operation to resume.
- Added new warp-cli debug commands for interactive connection diagnosis. See Extra debug logging for details.
- The local DNS proxy now supports DNSSEC passthrough. DNSSEC-signed responses are forwarded to the application intact (including DO/AD bits and RRSIG records), so applications that validate DNSSEC locally — including resolvers and the dig/drill tooling — work correctly through the client.
- Added a new MDM format for organization-wide settings, including a cleaner way to configure the compliance environment (e.g. FedRAMP). The previous per-configuration approach still works, but the new format is now recommended. See the updated Cloudflare One MDM documentation for details.
Additional changes and improvements
- Starting with 2026.6.822.0, the client unifies all API requests under the api.devices.cloudflare.com SNI, where previously both zero-trust-client.cloudflareclient.com and notifications.cloudflareclient.com were used. Review Cloudflare One Client with firewall to ensure systems that rely on SNI inspection do not block the API traffic. The behavior of previous client versions is unaffected.
- Cloudflare Mesh functionality using the Cloudflare One Client is now supported on RHEL 9 and 10.
- Cloudflare Mesh now supports hostname-based routing.
- Client Certificate device-posture checks now support template variables (e.g. ${serial_number}, ${device_uuid}) in the Subject Alternative Name field. Previously only the Common Name field accepted variables, which broke posture rules that pinned identity to a SAN entry.
- Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in the system display settings.
- Path MTU Discovery (PMTUD) is now enabled by default.
- Fixed the in-client captive-portal browser rendering a blank "Success" page on some airline Wi-Fi networks. The browser now more consistently loads the airline's real portal page so users can complete sign-in from inside the client instead of having to open a separate browser.
- Fixed an issue in proxy mode where hostnames containing underscores (e.g. ai_app.com) were rejected, breaking apps that depend on such hostnames (notably ChatGPT sandbox apps). The local proxy now accepts underscore-containing hostnames in CONNECT requests.
- Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry.
- Fixed an issue where some Debian releases experienced inaccurate version reporting for posture checks.
- Users can now register with team names in any case format without errors.
New UI fixes
- Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication.
- Added a re-auth button and banner to the home screen so users don't miss it when their session expires.
- Added clear error messaging when the Cloudflare certificate needs to be installed.
- Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users.
- New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration.
- Added ability to configure proxy mode for consumer users.
- Added back the option to quit for consumer users.
For RHEL deployments, this release introduces a dependency on the Extra Packages for Enterprise Linux repository (EPEL). The EPEL repository provides packages that support the captive portal detection’s in-app browser authentication and system tray icon. See Getting started with EPEL for instructions on enabling EPEL.
Known issues
- Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
- Jun 26, 2026
- Date parsed from source:Jun 26, 2026
- First seen by Releasebot:Jul 3, 2026
Cloudflare One, Access - Service token support for MCP server portals
Cloudflare One adds Access service token support for MCP server portals, letting autonomous agents and bots reach linked MCP servers without a browser-based OAuth flow. Service token sessions use CF-Access-Client-Id and CF-Access-Client-Secret to access authorized tools.
You can now connect autonomous agents and bots to an MCP server portal using an Access service token. Service token sessions can reach upstream MCP servers through the portal without a browser-based OAuth flow.
To set this up:
- Add a Service Auth policy that matches your service token to the portal's Access application.
- Add a Service Auth policy that matches the same token to each linked MCP server's Access application.
- Turn Require user auth off (on_behalf: false) for each linked server so the portal uses the admin credential instead of a per-user OAuth grant.
The bot connects with CF-Access-Client-Id and CF-Access-Client-Secret headers and sees the tools from every linked server it is authorized for. Servers that still require per-user OAuth are excluded from service token sessions because a service token cannot complete a per-user OAuth grant.
For step-by-step setup, refer to Connect with a service token.
Original source - Jun 24, 2026
- Date parsed from source:Jun 24, 2026
- First seen by Releasebot:Jun 25, 2026
Cloudflare One Client - Cloudflare One Client for macOS (version 2026.6.782.1)
Cloudflare One adds a beta macOS client release with hardware-backed device registration, stronger Secure Enclave token protection, and a range of usability and reliability fixes, including accessibility updates, improved DNS handling, new UI controls, and restored tunnel and proxy options for consumer users.
A new Beta release for the macOS Cloudflare One Client is now available on the beta releases downloads page.
This beta release introduces upgraded security of device registration to be hardware-backed. Registration tokens can now be generated in the Secure Enclave whenever available to provide stronger protection against device impersonation.
Additional changes and improvements
This release also introduces multiple fixes and improvements including:
- Improved accessibility by using high contrast colors and more defined color boundaries when high contrast is enabled in the macOS Display settings.
- Path MTU Discovery (PMTUD) is now enabled by default.
- Fixed an issue where DNS queries would fail after the connection was idle, requiring users to retry.
- Users can now register with team names in any case format without errors.
New UI fixes
- Fixed an issue where users with invalid MDM configurations were returned to the onboarding screen after successful authentication.
- Added a re-auth button and banner to the home screen so users don't miss it when their session expires.
- Added clear error messaging when the Cloudflare certificate needs to be installed.
- Brought back support for pausing the tunnel when connected to user-specified Wi-Fi networks for consumer users.
- New client UI now surfaces Split tunnel configuration and Local Domain Fallback configuration.
- Added ability to configure proxy mode for consumer users.
- Added back the option to quit for consumer users.
Known issues
Registration may hang at "Checking your organization configuration" due to IPC errors. A system reboot should resolve the error, allowing registration to proceed.
Original source - Jun 23, 2026
- Date parsed from source:Jun 23, 2026
- First seen by Releasebot:Jul 3, 2026
Data Localization Suite - Regionalized IP Bindings for Regional Services
Cloudflare One adds Regionalized IP Bindings for Regional Services, bringing IP-level traffic regionalization to BYOIP prefixes. It lets teams bind a CIDR to a region for address-map and IP-addressed services, with TLS termination and traffic processing kept within regional data centers.
Regional Services now supports Regionalized IP Bindings, letting you regionalize traffic at the IP layer for prefixes you bring to Cloudflare through Bring Your Own IP (BYOIP).
Where Regional Hostnames regionalize traffic by hostname, Regionalized IP Bindings let you bind a CIDR from one of your prefixes to a region — ideal for address-map deployments and any service you address by IP rather than hostname. Cloudflare then terminates TLS and processes traffic to those addresses only within the data centers in that region.
Regionalized IP Bindings requires the Regional Services and Regional Services for BYOIP entitlements. Contact your account team to enable them.
To get started, refer to Regionalized IP Bindings.
Original source - Jun 19, 2026
- Date parsed from source:Jun 19, 2026
- First seen by Releasebot:Jun 19, 2026
Cloudflare Mesh, Cloudflare Tunnel, Cloudflare WAN, Cloudflare One - Manage all your routes from one page in the dashboard
Cloudflare One adds a unified Routes page in the dashboard, bringing Mesh, Tunnel, WAN, and Magic Transit routes into one table with an interactive map, route testing, virtual network management, and easier create, edit, and delete flows.
The Routes page in the Cloudflare dashboard now shows the routes across all of your connectors — Cloudflare Mesh and Cloudflare Tunnel routes alongside Cloudflare WAN and Magic Transit static routes — in a single table, instead of a separate routes view per product.
From the unified Routes page you can:
- Visualize your network with an interactive map that shows how your destinations flow through to your connectors — including equal-cost multi-path (ECMP) routes where the same prefix is served by several connectors. Select a node to filter the table down to the routes behind it.
- See every route in one table, with its destination, type, connector, priority, and source, and filter or sort to find what you need.
- Create, edit, and delete routes of any supported type without leaving the page. When adding a Cloudflare WAN or Magic Transit static route, you now pick the next hop by connector name instead of typing its IP.
- Manage virtual networks from a dedicated tab.
- Test a route to see which connector and next hop a destination resolves to before you commit a change.
To find it, go to Networking > Routes in the dashboard sidebar.
Go to Routes
Your existing routes, APIs, and configurations are unchanged — this is a dashboard experience that brings them together in one place. Learn how to add routes and manage virtual networks.
Original source - Jun 18, 2026
- Date parsed from source:Jun 18, 2026
- First seen by Releasebot:Jun 19, 2026
Cloudflare One, Access - Cloudflare identity provider is now the default for new accounts
Cloudflare One adds the Cloudflare identity provider as the default login method for newly created Zero Trust organizations, replacing OTP for new accounts while keeping existing organizations unchanged.
When you create a new Zero Trust organization, Cloudflare now adds the Cloudflare identity provider as your default login method. Previously, new organizations started with one-time PIN (OTP).
With the Cloudflare identity provider, your users authenticate using their existing Cloudflare account credentials, and authentication is restricted to members of your account. You can still add OTP or connect any third-party identity provider whenever you need to.
This change only applies to newly created accounts. Existing organizations keep the login methods they already have configured. If you would like to use the Cloudflare Identity Provider in an existing account, you must enable it.
Original source - Jun 11, 2026
- Date parsed from source:Jun 11, 2026
- First seen by Releasebot:Jun 11, 2026
Data Loss Prevention - Define custom topics for AI prompt protection
Cloudflare One adds custom AI prompt topics for DLP, letting teams detect proprietary concepts in prompts by natural language context instead of keywords. The new option extends AI prompt protection across ChatGPT, Google Gemini, Perplexity, and Claude with the same granular controls path.
You can now define custom topics for AI prompt protection. Predefined AI prompt topics cover common content and intent categories such as PII, source code, and jailbreak attempts. Custom topics let you detect unique or proprietary concepts that are not included in predefined categories.
You describe a custom topic in natural language, and Cloudflare DLP detects whether a prompt matches that topic based on context rather than specific keywords. For example, a topic that describes confidential merger discussions matches a prompt that paraphrases the deal, even when the prompt never uses the word merger or names the companies involved. To detect literal values such as internal codenames or product identifiers, use a custom wordlist or pattern entry instead.
Custom topics run through the same application granular controls path as predefined AI prompt topics. Custom topics are available for ChatGPT, Google Gemini, Perplexity, and Claude.
Create a custom AI prompt topic
In the Cloudflare dashboard, go to Zero Trust > Data loss prevention > Detection entries.
Select AI prompt topics, then select Custom Prompt Topic.
Describe the topic in natural language. Be specific about the concept you want to detect. For example, describe unreleased product roadmap details or confidential customer contract terms.
Add this detection entry to an existing DLP profile, or create a new DLP profile.
Use the profile in a Gateway HTTP policy to log or block prompts that match the topic.
Note
Write the description as a concept to classify, not a list of keywords. For example, describe "internal financial forecasts and unreleased revenue figures" rather than listing specific document names.
For more information, refer to AI prompt topics.
Original source - Jun 5, 2026
- Date parsed from source:Jun 5, 2026
- First seen by Releasebot:Jun 6, 2026
Gateway, Cloudflare Mesh, Workers VPC - Filter Workers' public Internet traffic using Gateway policies
Cloudflare One now routes Workers with a VPC Network binding to public Internet destinations through Cloudflare Gateway, extending Zero Trust DNS, HTTP, Network, and egress policies and adding Gateway logs for Worker traffic.
Workers using a VPC Network binding with network_id: "cf1:network" now egress to public Internet destinations through Cloudflare Gateway.
This means your existing Zero Trust traffic policies — DNS, HTTP, Network, and egress — extend to traffic that originates from your Workers, the same way they do for WARP users today.
Worker
Calls env.EGRESS.fetch() VPC binding ↓ Cloudflare Mesh Bind via cf1:network ↓ Cloudflare Gateway Policies applied: DNS HTTP Network ↓ ↗ Public Internet Any public hostname or IP Gateway logs DNS HTTP NetworkWhat you get by default:
Visibility. Worker egress shows up in Gateway DNS, HTTP, and Network logs alongside your other traffic, so you can audit what your Workers are calling and when.
Enforcement. Any existing Gateway policy whose selectors match a Worker request will apply — including allow / block lists, DNS category filtering, and HTTP destination rules. If you have already blocked a category for your workforce, your Workers inherit that block.
wrangler.jsonc
{ "vpc_networks": [ { "binding": "EGRESS", "network_id": "cf1:network", "remote": true, }, ], }wrangler.toml
[[vpc_networks]] binding = "EGRESS" network_id = "cf1:network" remote = trueJavaScript
// Egress to a public destination — subject to your Gateway policies and logged const response = await env.EGRESS.fetch("https://api.example.com/data");TypeScript
// Egress to a public destination — subject to your Gateway policies and logged const response = await env.EGRESS.fetch("https://api.example.com/data");For configuration options, refer to VPC Networks. For policy authoring, refer to Cloudflare Gateway traffic policies.
Original source
Curated by the Releasebot team
Releasebot is an aggregator of official product update announcements from hundreds of software vendors and thousands of sources.
Our editorial process involves the manual review and audit of release notes procured with the help of automated systems.