WAF - WAF Release - 2026-04-07
2mo ago
Source
CloudflareWAF - WAF Release - 2026-04-07cloudflare.comThis week's release introduces new detections for a critical Remote Code Execution (RCE) vulnerability in MCP Server (CVE-2026-23744), alongside targeted protection for an authentication bypass vulnerability in SolarWinds products (CVE-2025-40552). Additionally, this release includes a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts leveraging "OnEvent" handlers within HTTP cookies. Key Findings MCP Server (CVE-2026-23744): A vulnerability in the Model Context Protocol (MCP) server implementation where malformed input payloads can trigger a memory corruption state, allowing for arbitrary code execution. SolarWinds (CVE-2025-40552): A critical flaw in the authentication module allows unauthenticated attackers to bypass security filters and gain unauthorized access to the management console due to improper identity token validation. XSS OnEvents Cookies: This generic rule identifies malicious event handlers (such as onload or onerror) embedded within HTTP cookie values. Impact Successful exploitation of the MCP Server and SolarWinds vulnerabilities could allow unauthenticated attackers to execute arbitrary code or gain administrative control, leading to a full system takeover. Additionally, the new generic XSS detection prevents attackers from leveraging browser event handlers in cookies to hijack user sessions or execute malicious scripts. Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset 73ae1cf103da4bacaa2e1a610aa410af N/A Generic Rules - Command Execution - 5 - Body Log Disabled This is a new detection. Cloudflare Managed Ruleset a88a85b0cc5a4bc2abead6289131ec2f N/A Generic Rules - Command Execution - 5 - Header Log Disabled This is a new detection. Cloudflare Managed Ruleset 28518cdc40544979bbd86720551eb9e5 N/A Generic Rules - Command Execution - 5 - URI Log Block This is a new detection. Cloudflare Managed Ruleset 1177993d53a1467997002b44d46229eb N/A MCP Server - Remote Code Execution - CVE:CVE-2026-23744 Log Block This is a new detection. Cloudflare Managed Ruleset 3d43cdfbc3c14584942f8bc4a864b9c2 N/A XSS - OnEvents - Cookies Log Block This is a new detection. Cloudflare Managed Ruleset 41153470df2365192b0df74ca78ad04e N/A SQLi - Evasion - Body Log Disabled This is a new detection. Cloudflare Managed Ruleset 64d812e6d5844d7c9d7a44a440732d48 N/A SQLi - Evasion - Headers Log Disabled This is a new detection. Cloudflare Managed Ruleset 50de9369ef7c45928a5dfb34e68a99b5 N/A SQLi - Evasion - URI Log Disabled This is a new detection. Cloudflare Managed Ruleset 765ffb5c67b94c9589106c843e8143d2 N/A SQLi - LIKE 3 - Body Log Disabled This is a new detection. Cloudflare Managed Ruleset 5c3dbd4f115e47c781491fcd70e7fb97 N/A SQLi - LIKE 3 - URI Log Disabled This is a new detection. Cloudflare Managed Ruleset 89fa6027a0334949b1cb2e654c538bd9 N/A SQLi - UNION - 2 - Body Log Disabled This is a new detection. Cloudflare Managed Ruleset 05946b3458364f1b9d4819d561c439c9 N/A SQLi - UNION - 2 - URI Log Disabled This is a new detection. Cloudflare Managed Ruleset b2fe5c2a39df4609b6d39908cf33ea10 N/A SolarWinds - Auth Bypass - CVE:CVE-2025-40552 Log Block This is a new detection.
You might also wanna read
Cloudflare expands AI bot management tools with granular traffic controls for all customers
Cloudflare is celebrating the second "Content Independence Day" by expanding AI traffic management options for all website owners. Building
Workers - Simpler runtime types with @cloudflare/workers-types v5
Cloudflare·1d ago
AI Search - Manage AI Search sync jobs with Wrangler CLI
Cloudflare·2d ago
Workers - Work across multiple accounts with Wrangler auth profiles
Cloudflare·2d ago
Cache - Cache multiple versions of a URL with Vary
Cloudflare·2d ago
Cloudflare One - Hostname routing for Cloudflare Mesh
Cloudflare·2d ago

Comments
Sign in to join the conversation.
No comments yet. Be the first.