New WAF Rule Releases

Cloudflare's Web Application Firewall is adding protection against emerging vulnerabilities and attack vectors in a scheduled release on March 2, 2026.

New Detections

Two critical SmarterMail vulnerabilities are being addressed with new WAF rules:

• SmarterMail - Arbitrary File Upload (CVE-2025-52691): New rule to detect attempts to exploit file upload vulnerabilities in SmarterMail
• SmarterMail - Authentication Bypass (CVE-2026-23760): New rule to detect authentication bypass attacks against SmarterMail

Additionally, a new Command Injection - Nslookup (Beta) rule will be released. This beta rule will eventually be merged into the existing "Command Injection - Nslookup" rule.

Rollout Behavior

All new rules will deploy in Log mode, meaning they will identify and log matching traffic without blocking it. This allows customers to evaluate the rules and adjust configurations before enforcement. Customers can manually adjust rule sensitivity settings based on their specific security posture and application requirements.