Cloudflare One Release Notes

Cloudflare Email Security now supports DANE (DNS-based Authentication of Named Entities) for MX deployments. This enhancement strengthens email transport security by enabling DNSSEC-backed certificate verification for our regional MX records.

Regional MX hostnames now publish DANE TLSA records backed by DNSSEC, enabling DANE-capable SMTP senders to cryptographically validate certificate identities before establishing TLS connections—moving beyond opportunistic encryption to verified encrypted delivery.

DANE support is automatically available for all customers using regional MX deployments. No additional configuration is required; DANE-capable mail infrastructure will automatically validate MX certificates using the published records.

This applies to all Email Security packages:

• Advantage
• Enterprise
• Enterprise + PhishGuard

A new GA release for the Windows Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for Windows will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
• Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support.
• Fixed unnecessary registration deletion caused by RDP connections in multi-user mode.
• Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT.
• Fixed tunnel failing to connect when the system DNS search list contains unexpected characters.
• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
• Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.
• Fixed an issue where degraded Windows Management Instrumentation (WMI) state could put the client in a failed connection state loop during initialization.

Known issues

For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution. This warning will be omitted from future release notes. This Windows update was released in July 2025.

Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.

DNS resolution may be broken when the following conditions are all true:

• The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
• A custom DNS server address is configured on the primary network adapter.
• The custom DNS server address on the primary network adapter is changed while the client is connected.

To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.

A new GA release for the macOS Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for macOS will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
• Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.

A new GA release for the Linux Cloudflare One Client is now available on the stable releases downloads page.

This release contains minor fixes and improvements.

The next stable release for Linux will introduce the new Cloudflare One Client UI, providing a cleaner and more intuitive design as well as easier access to common actions and information.

Changes and improvements

• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in local proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed an issue where the emergency disconnect status of a prior organization persisted after a switch to a different organization.
• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm for local proxy mode to Cubic for improved reliability across platforms.
• Fixed initiating managed network detections checks when no network is available, which caused device profile flapping.

Cloudflare Gateway now supports OIDC Claims as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types.

With this update, you can:

• Filter traffic in DNS, HTTP, and Network firewall policies based on OIDC claim values.
• Apply custom resolver policies to route DNS queries to specific resolvers depending on a user's OIDC claims.
• Control egress policies to assign dedicated egress IPs based on OIDC claim attributes.

For example, you can create a policy that routes traffic differently for users with department=engineering in their OIDC claims, or restrict access to certain destinations based on a user's role claim.

To get started, configure custom OIDC claims on your identity provider and use the OIDC Claims selector in the Gateway policy builder.

For more information, refer to Identity-based policies.

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

• Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.

• Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

A new Beta release for the macOS WARP client is now available on the beta releases downloads page.
This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
• Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

• The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client's operation mode.
• The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
• Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.

A new Beta release for the Windows WARP client is now available on the beta releases downloads page.
This release contains minor fixes and introduces a brand new visual style for the client interface. The new Cloudflare One Client interface changes connectivity management from a toggle to a button and brings useful connectivity settings to the home screen. The redesign also introduces a collapsible navigation bar. When expanded, more client information can be accessed including connectivity, settings, and device profile information. If you have any feedback or questions, visit the Cloudflare Community forum and let us know.

Changes and improvements

• Consumer-only CLI commands are now clearly distinguished from Zero Trust commands.
• Added detailed QUIC connection metrics to diagnostic logs for better troubleshooting.
• Added monitoring for tunnel statistics collection timeouts.
• Switched tunnel congestion control algorithm to Cubic for improved reliability across platforms.
• Fixed packet capture failing on tunnel interface when the tunnel interface is renamed by SCCM VPN boundary support.
• Fixed unnecessary registration deletion caused by RDP connections in multi-user mode.
• Fixed increased tunnel interface start-up time due to a race between duplicate address detection (DAD) and disabling NetBT.
• Fixed tunnel failing to connect when the system DNS search list contains unexpected characters.
• Empty MDM files are now rejected instead of being incorrectly accepted as a single MDM config.
• Fixed an issue in proxy mode where the client could become unresponsive due to upstream connection timeouts.
• Fixed emergency disconnect state from a previous organization incorrectly persisting after switching organizations.
• Fixed initiating managed network detection checks when no network is available, which caused device profile flapping.

Known issues

• The client may unexpectedly terminate during captive portal login. To work around this issue, use a web browser to authenticate with the captive portal and then re-launch the client.
• An error indicating that Microsoft Edge can't read and write to its data directory may be displayed during captive portal login; this error is benign and can be dismissed.
• The client may become stuck in a Connecting state. To resolve this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface. Alternatively, change the client's operation mode.
• The client may display an empty white screen upon the device waking from sleep. To resolve this issue, exit and then open the client to re-launch it.
• Canceling login during a single MDM configuration setup results in an empty page with no way to resume authentication. To work around this issue, exit and relaunch the client.
• For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum Windows 11 24H2 version KB5062553 or higher for resolution.
• Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later. This warning will be omitted from future release notes. This Microsoft Security Intelligence update was released in May 2025.
• DNS resolution may be broken when the following conditions are all true:
  • The client is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
  • A custom DNS server address is configured on the primary network adapter.
  • The custom DNS server address on the primary network adapter is changed while the client is connected.
    To work around this issue, reconnect the client by selecting Disconnect and then Connect in the client user interface.

The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types.

The Gateway Authorization Proxy and PAC file hosting are now in open beta for all plan types.
Previously, proxy endpoints relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with Cloudflare Access authentication, verifying who a user is before applying Gateway filtering without installing the WARP client.
This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints.

Key capabilities

• Identity-aware proxy traffic — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write identity-based policies like "only the Finance team can access this accounting tool."
• Multiple identity providers — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems.
• Cloudflare-hosted PAC files — Create and host PAC files directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at https://pac.cloudflare-gateway.com// on Cloudflare's global network.
• Simplified billing — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track.

Get started

• In Cloudflare One, go to Networks > Resolvers & Proxies > Proxy endpoints.
• Create an authorization proxy endpoint and configure Access policies.
• Create a hosted PAC file or write your own.
• Configure browsers to use the PAC file URL.
• Install the Cloudflare certificate for HTTPS inspection.
• For more details, refer to the proxy endpoints documentation and the announcement blog post.