Cloudflare Public Bug Bounty Program Statistics

View program

76 total issues disclosed

$29,575 total paid publicly

Most disclosed (13 disclosures) — None supplied

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
[Variation of #3321406] YetAnother 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in AccessTempAuth Cross-site Scripting (XSS) - Stored matured_kazama High 2026-04-14
[Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth None supplied matured_kazama High 2026-04-14
AI Playground XSS to steal user-chat messages and access to connected MCP Server Cross-site Scripting (XSS) - Reflected matured_kazama Low 2026-02-26
Second-Order XSS via javascript protocol in MCP Server Portal Apps leads to ATO Cross-site Scripting (XSS) - Stored matured_kazama Low 2025-12-16
Bypass of Cloudflare's Cache Keys and WAF via header overflow Improper Access Control - Generic david96 High 2025-11-18
`use-mcp`'s oauth2 process uses a window.open call with untrusted mcp server provided data allowing for code execution under the page using it Cross-site Scripting (XSS) - Generic null_smashmaster0045 Medium 2025-09-30
Any WARP User Can Access Organization-Specific Application Improper Authentication - Generic jai-kandepu None 2025-05-19
Arbitrary file read from Cloudflare Pages build environment None supplied ryotak Medium 2024-02-23
Yet Another CASB Integration Takeover of Active Integrations None supplied matured_kazama High 2023-11-13
Bypass R2 payment screen Improper Restriction of Authentication Attempts bun Medium 2023-11-10
YAML schema injection risk in Swagger UI via schema_url parameter at developers.cloudflare.com Resource Injection aliend89 Low 2023-11-10
Accessing apps protected via ZT's Access when user account is deleted/disabled even after clearing user session/seat Improper Authentication - Generic matured_kazama High 2023-10-25
Permanent CASB Integration Takeover due to Improper Access Controls+Confused Deputy Problem Improper Access Control - Generic matured_kazama High 2023-09-18
2FA BYPASS Improper Access Control - Generic imtheking High 2023-09-18
Ability to bypass Admin override on Cloudflare WARP Android Client-Side Enforcement of Server-Side Security harshdranjan High 2023-09-07
Plaintext leakage of DNS requests in Windows 1.1.1.1 WARP client Cleartext Transmission of Sensitive Information vanhoefm High 2023-08-03
💥💥Crash report -Cloudflare WARP doesn't verify text length in "Excluded Host" name input data💥💥 Memory Corruption - Generic theendisnear Low 2023-07-31
Basic XSS [WAF Bypasses] None supplied hacker1_agent No rating 2023-07-07
Cloudflare CASB Confused Deputy Problem None supplied albertspedersen Critical 2023-06-07
Privilege escalation to root in Pages build image v2 Privilege Escalation albertspedersen Low 2023-05-26
A malicious actor could rotate tokens of a victim, given that he knows the victim's token ID Improper Access Control - Generic esx High 2023-04-13
Cloudflare is not properly deleting user's account Business Logic Errors csc_ Medium 2023-04-13
Session mismatch leading to potential account takeover (local access required) Insecure Direct Object Reference (IDOR) theendisnear Medium 2023-04-10
Bypassing creation of API tokens without email verification Improper Authentication - Generic boy_child_ Low 2023-03-27
Extraction of Pages build scripts, config values, tokens, etc. via symlinks Information Disclosure mattipv4 Medium 2023-03-06
Using special IPv4-mapped IPv6 addresses to bypass local IP ban None supplied albertspedersen Critical 2023-01-24
Origin IP address disclosure through Pingora response header Information Exposure Through an Error Message smither Medium 2023-01-10
cd=false (DNSSEC) not respected in DNS over HTTPS JSON requests Business Logic Errors mattipv4 Low 2022-12-12
Ability to bypass locked Cloudflare WARP on wifi networks. Client-Side Enforcement of Server-Side Security oracularhades High 2022-11-16
I found another way to bypass Cloudflare Warp lock! Client-Side Enforcement of Server-Side Security oracularhades High 2022-11-07
Bypass Cloudflare WARP lock on iOS. Client-Side Enforcement of Server-Side Security oracularhades Medium 2022-11-07
Completely remove VPN profile from locked WARP iOS cient. Client-Side Enforcement of Server-Side Security oracularhades High 2022-11-07
Misconfigured build on websites "abuse.cloudflare.com" None supplied paradessiaa Low 2022-10-13
Bypass two-factor authentication Improper Authentication - Generic ydvanjali Low 2022-10-04
Lack of Packet Sanitation in Goflow Results in Multiple DoS Attack Vectors and Bugs Uncontrolled Resource Consumption path_network High 2022-09-30
Password Policy Restriction Bypass Violation of Secure Design Principles lohigowda Low 2022-09-30
Take over subdomains of r2.dev using R2 custom domains None supplied albertspedersen Medium 2022-09-28
Signup with any Email and Enable 2-FA without verifying Email Improper Authentication - Generic imtheking Medium 2022-09-12
Enable 2Fa verification without verifying email Improper Access Control - Generic motu-vai Medium 2022-08-31
Blind SSRF on platform.dash.cloudflare.com Due to Sentry misconfiguration Server-Side Request Forgery (SSRF) lohigowda Low 2022-08-31
Hijack all emails sent to any domain that uses Cloudflare Email Forwarding Improper Authorization albertspedersen Critical 2022-07-28
HTTP request smuggling with Origin Rules using newlines in the host_header action parameter HTTP Request Smuggling albertspedersen Critical 2022-06-27
Bypassing Cache Deception Armor using .avif extension file Information Disclosure bombon Medium 2022-06-27
Sign in with Apple generates long-life JWTs, seemingly irrevocable, that grant immediate access to accounts Improper Authentication - Generic mattipv4 Low 2022-06-27
Sign in with Apple works on existing accounts, bypasses 2FA Improper Authentication - Generic mattipv4 High 2022-06-27
API docs expose an active token for the sample domain theburritobot.com Information Disclosure sainaen High 2022-06-27
HTTP Request Smuggling in Transform Rules using hexadecimal escape sequences in the concat() function HTTP Request Smuggling albertspedersen Critical 2022-05-16
DOM XSS on 1.1.1.1(one.one.one.one) Cross-site Scripting (XSS) - DOM cujanovic Medium 2018-10-17
Remote file inclusion using "/cdn-cgi/pe/bag2?r[]=" Remote File Inclusion grampae Critical 2018-08-15
Private API key leakage due to lack of access control Improper Access Control - Generic yox High 2018-08-08
Potential XSS vulnerability to HTML minification Cross-site Scripting (XSS) - Generic filedescriptor No rating 2018-04-17
// (double slash) inside es6 template literals interpreted as an inline comment by the auto-minifier Code Injection veggie Medium 2018-03-17
SSRF Server-Side Request Forgery (SSRF) linkks Critical 2018-02-25
Cloudflare does not sufficiently truncate credit card numbers in invoices Missing Encryption of Sensitive Data webster No rating 2018-01-12
Cloudflare based XSS for IE11 None supplied reactors08 Medium 2017-05-04
[http2.cloudflare.com] Open Redirect Open Redirect bobrov Low 2017-03-24
Reflected XSS on partners.cloudflare.com Cross-site Scripting (XSS) - Generic albinowax No rating 2016-10-26
CSRF in Cloudflare login Cross-Site Request Forgery (CSRF) melvin No rating 2016-10-07
Bug Report None supplied thalaivarsubu No rating 2016-06-16
Clickjacking : https://partners.cloudflare.com/ UI Redressing (Clickjacking) xsserboiii No rating 2016-03-06
Threat control information leak Cross-Site Request Forgery (CSRF) bitquark No rating 2015-06-20
User's data leak None supplied sergeybelove No rating 2014-09-28
User can request for password reset link without giving his website, eventhough he have it Violation of Secure Design Principles born2hack No rating 2014-09-19
Apache mod_negotiation filename bruteforcing Cryptographic Issues - Generic jpsecurityresearch No rating 2014-09-19
System Status Update CSRF Cross-Site Request Forgery (CSRF) chandrakant No rating 2014-09-10
csrf on password change functionality Cross-Site Request Forgery (CSRF) robincool03111 No rating 2014-09-07
http://cdnjs.cloudflare.com/ Cross-site scripting 2 Cross-site Scripting (XSS) - Generic smiegles No rating 2014-08-08
jplayer.swf Cross-site scripting Cross-site Scripting (XSS) - Generic smiegles No rating 2014-08-08
Flash-based XSS in cdnjs.cloudflare.com subdomain Cross-site Scripting (XSS) - Generic prakharprasad No rating 2014-07-17
CSRF and No password requirement in this URL Billing Info Cross-site Scripting (XSS) - Generic shahmeer-amir No rating 2014-07-08
Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html Violation of Secure Design Principles internetwache No rating 2014-07-08
Password reset threshold not set Violation of Secure Design Principles shahmeer-amir No rating 2014-07-08
Cookie missing the Secure flag None supplied 0xsaikiran No rating 2014-05-22
XSS - http://js.cloudflare.com Cross-site Scripting (XSS) - Generic dekeeu No rating 2014-05-22
Apache Multiviews are enabled Denial of Service shahmeer-amir No rating 2014-05-22
Security issue with your "bag" script None supplied peterjaric No rating 2014-05-07