Skip to content

Changelog

New updates and improvements at Cloudflare.

hero image

WAF Release - 2026-07-14

This release introduces new rules targeting critical infrastructure vulnerabilities. These include an unauthenticated memory disclosure flaw in Citrix NetScaler ADC and Gateway (CVE-2026-8451) and a high-severity pre-authentication remote code execution (RCE) vulnerability in Progress Kemp LoadMaster (CVE-2026-8037).

Key Findings

  • CVE-2026-8451: An insufficient input validation vulnerability affects Citrix NetScaler ADC and NetScaler Gateway appliances configured as a SAML Identity Provider (IdP). Remote, unauthenticated attackers can exploit this flaw by sending malformed requests to trigger a memory overread, allowing them to leak chunks of sensitive data from adjacent appliance memory.

  • CVE-2026-8037: A critical OS command injection vulnerability in Progress Kemp LoadMaster load balancers allows unauthenticated remote attackers to achieve remote code execution (RCE).

RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
Cloudflare Managed Ruleset N/ACitrix Netscaler ADC - Insufficient Input Validation - CVE:CVE-2026-8451LogBlock

This is a new detection.

Cloudflare Managed Ruleset N/AProgress Kemp LoadMaster - Remote Code Execution - CVE:CVE-2026-8037LogBlock

This is a new detection.