Cloudflare Outage Map

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

Cloudflare Issues Reports

Latest outage, problems and issue reports in social media:

• 
  Aiona Edge (@aionaedge) reported 5 minutes ago

  Anthropic's Project Glasswing just released its first results, and the headline is staggering: Claude Mythos Preview has uncovered more than 10,000 high- or critical-severity vulnerabilities across partner software in just one month. Cloudflare alone found 2,000 bugs (400 high/critical). Mozilla patched 271 Firefox vulnerabilities — ten times what the previous Claude model caught. Palo Alto Networks shipped five times its normal patch volume. Microsoft says its patch releases will "continue trending larger for some time." But here's what the headlines are missing. **WHAT EVERYONE IS SAYING** The coverage reads like a cybersecurity breakthrough story. AI finds bugs! Software gets safer! Anthropic saves the internet! The narrative writes itself — a frontier AI model deployed responsibly through controlled partnerships, finding real vulnerabilities before bad actors can exploit them. It's the "responsible AI" story everyone wants to believe. And to be clear: the numbers are real. Anthropic independently scanned 1,000 open-source projects and found 6,202 high- or critical-severity vulnerabilities, with a 90.6% true positive rate after third-party verification. A Mythos-powered tool at a partner bank caught a $1.5M fraudulent wire transfer. The UK's AI Security Institute confirmed Mythos is the first model to fully solve both of its in-house cyber range simulations. These are not demo numbers. This is production-grade capability. **WHAT'S ACTUALLY GOING ON** Here's the part that should keep security leaders up at night: of those 23,019 total vulnerabilities Mythos found in open-source projects, only 97 have been patched. 97 out of 23,019. The bug-finding capacity of AI has completely outpaced the bug-fixing capacity of the humans who maintain the software the entire world runs on. Open-source maintainers have literally asked Anthropic to slow down disclosures because they can't keep up. The average fix time for a high- or critical-severity bug is two weeks. Anthropic's model finds them in hours. That's not a feature — that's a systemic risk multiplier. And Anthropic themselves are saying this explicitly. They write: "No company, including Anthropic, has built safeguards strong enough to stop misuse of these models and prevent serious damage." They note that Mythos-class capabilities will soon be widely available. OpenAI's GPT-5.5 is already competitive on these benchmarks, with a specialized GPT-5.5 Cyber variant available to vetted researchers. The asymmetric advantage attackers get from this — the ability to find and weaponize vulnerabilities at machine speed — is not theoretical. It is the current reality. Consider the math: a Mythos-class model can find a critical vulnerability in hours. The average time to patch is two weeks. That gap — call it the "exposure window" — just widened from a crack to a canyon. And it's not just zero-days anymore. It's thousands of known-but-unpatched vulnerabilities sitting in open-source infrastructure that the entire internet depends on. **WHAT THIS MEANS FOR BUSINESS LEADERS** 1. **Your patch cadence is now a competitive vulnerability.** If your organization patches on a monthly cycle, you're operating on a timescale that AI attackers have already left behind. The companies that will survive the next 24 months are the ones that can patch in days, not weeks. Audit your patch management process right now. If it takes you longer than 72 hours from patch availability to deployment for critical vulnerabilities, you are exposed. 2. **Open-source risk has fundamentally changed.** If you're running open-source infrastructure (and you are — the average enterprise has thousands of OSS dependencies), the old assumption was that obscurity provided some protection. That assumption is dead. Every unpatched vulnerability in every project you depend on is now findable by machine. Map your dependencies, identify which projects have small maintainer teams, and start contributing resources to their security. 3. **AI security tools are no longer optional — they're existential.** The same capability that finds 10,000 vulnerabilities can also exploit them. If your security team isn't using AI-powered vulnerability detection and response tools right now, you're defending a castle with medieval weapons against an army that has aerial reconnaissance. Budget for this in Q3, not next year's plan. 4. **The "responsible deployment" window is closing.** Anthropic is holding Mythos Preview back from public release specifically because they can't guarantee it won't be misused. But they acknowledge comparable models are coming. The period where only vetted partners have this capability is temporary. Your security planning should assume widespread availability by end of 2026. The real story of Project Glasswing isn't that AI can find bugs. It's that AI has exposed a structural weakness in how the world maintains its critical software. We built a civilization on open-source code maintained by underfunded teams, and we just gave everyone — defenders and attackers alike — a map of every crack in the foundation. The question isn't whether AI will make software more secure eventually. It almost certainly will. The question is what happens in the transition — and whether we can close the gap between finding flaws and fixing them before someone else exploits them first. #ProjectGlasswing #Cybersecurity #AISafety

• 
  Joris Mak bsky: @jorismak.nl (@MakJoris) reported 7 minutes ago

  @Cloudflare I switch regularly between multiple devices, and they have no sync. Passkeys can be a pain if they don't allow you to login in differently. under Linux passkeys are plain up not working, on my desktop 'windows hello' jumps up to ask for a pin (I'd rather just have it prefilled)

• 
  Mike Gannotti (@MichaelGannotti) reported 13 minutes ago

  THE HOOK Anthropic's Project Glasswing just dropped its first update, and the headline number is staggering: Claude Mythos Preview has found more than 10,000 high- or critical-severity vulnerabilities in system-critical software — in one month. Cloudflare alone flagged 2,000 bugs (400 high/critical). Mozilla patched 271 Firefox vulnerabilities, 10x what the previous Claude model caught. This isn't a lab demo. This is production software that runs the internet. But the real story isn't the discovery rate. It's the patching rate. THE INTERPRETATION The data reveals something the headline misses: of the 23,019 total vulnerabilities Mythos found across 1,000+ open-source projects, only 97 have been patched. Not 97%. Ninety-seven total. Of 530 high/critical bugs disclosed to maintainers, only 75 are patched. Only 65 have public advisories. Let me put that in perspective: Anthropic's AI is uncovering vulnerabilities roughly 10x faster than the security ecosystem can fix them. The 90.6% true-positive rate is impressive — this isn't noise. But the funnel from discovery → triage → disclosure → patch is collapsing under volume. Several open-source maintainers have asked Anthropic to slow down disclosures because they can't keep up. Think about that: the defensive AI is outpacing the human defensive capacity, and the humans are asking it to stop telling them what's broken. THE IMPLICATION This is the most concrete example yet of what I'd call the "asymmetric capability gap" in AI. Finding bugs is an O(n) problem at the frontier — you throw more compute at scanning, you find more bugs. Fixing them is an O(n²) social coordination problem — every patch requires human review, architectural judgment, backward compatibility decisions, regression testing, and coordinated deployment across thousands of dependent systems. For business leaders building with AI, the implication is direct: your security posture can no longer assume that undiscovered vulnerabilities are your main risk. The risk is now *known but unpatched* vulnerabilities. The attack surface isn't shrinking — it's being illuminated faster than it's being contracted. Three concrete actions: 1. Shorten your patch cycles now. Microsoft and Palo Alto Networks are already shipping 5x more patches per release cycle. If your organization's patch SLA is 30 days, it needs to be 7. If it's 7, it needs to be 24 hours for criticals. 2. Invest in the boring fundamentals. Anthropic's own recommendation — MFA, hardened configurations, comprehensive logging — isn't new advice. But it hits differently when you realize that thousands of zero-days are being discovered monthly, and most won't have patches available before the 90-day disclosure window opens. 3. Audit your dependency tree ruthlessly. The open-source projects Mythos scanned underpin most enterprise stacks. If you're running unpatched versions of common libraries, you should assume the vulnerability is known to someone — it's just not known to you yet. THE COUNTERPOINT Here's what Anthropic's post carefully avoids saying: they're creating the problem and selling the solution. Mythos Preview isn't public — it's gated behind Project Glasswing partnerships. But Anthropic explicitly acknowledges that "models with similar cybersecurity skills will soon be more broadly available." GPT-5.5 already benchmarks close on ExploitBench. The defensive advantage of Glasswing is temporary by design. More importantly, the 90-day coordinated vulnerability disclosure window was designed for a world where vulnerabilities are rare and discovery is expensive. That model breaks when an AI can enumerate thousands of bugs in a month. The entire CVD framework — which balances disclosure timing between finders and vendors — assumes a trickle, not a firehose. Nobody has proposed a replacement framework that works at this volume. And there's an uncomfortable question Anthropic doesn't address: if Mythos-class capabilities will soon be available to attackers, is the net effect of publishing 10,000 vulnerability locations positive or negative during the window where only 97 are patched? Anthropic's answer is clearly "the knowledge helps defenders," but right now the ratio of discovered-to-patched vulnerabilities suggests defenders can't act on the knowledge fast enough. THE BOTTOM LINE AI has fundamentally broken the economics of vulnerability discovery. Finding bugs used to be the hard part; fixing them was routine. Now finding is cheap and fixing is the bottleneck. Every organization's security strategy needs to invert: stop optimizing for threat detection (the AI has that covered) and start optimizing for patch velocity and blast-radius reduction (the part humans still own). The companies that survive the next 18 months won't be the ones with the best threat intel — they'll be the ones with the fastest remediation cycles. #ProjectGlasswing #AICybersecurity #VulnerabilityManagement

• 
  FootiememeTV (@FootiememeTv) reported 16 minutes ago

  @inference_labs inference changes the economics of AI. But once outputs start driving real systems, verification becomes the bottleneck. Cloudflare leaning into AI reviews at scale is another signal that the next infrastructure layer won’t just generate intelligence it’ll prove it.

• 
  Vadim Zolotokrylin (@zolotokrylin) reported 18 minutes ago

  @mignano If routing commoditizes token margins, it becomes a pure volume and scale game. How does an independent router build defensible network effects before infrastructure layers like Cloudflare or AWS integrate routing natively into their edge networks?

• 
  Ryzm (@Goeun_6121) reported 20 minutes ago

  The internet did not suddenly get broken. Someone finally sent AI into the basement. Mozilla found 271 Firefox bugs with Claude Mythos. Cloudflare says the model was not just yelling “bug.” It could test, prove, and chain issues like a real security researcher. That is the uncomfortable part.. For years, a lot of the internet survived because the code was too old, too boring, and too annoying to inspect line by line. Now a model can do the boring part without getting tired. So the new problem is not “can we find the bugs?” Apparently, yes. The problem is the pile after that. Who checks it? Who patches it? Who tells the maintainer? Who ships the fix without breaking something else? AI made the flashlight bigger. The basement is still full..

• 
  Chris Covington (@_ChrisCovington) reported 23 minutes ago

  @AlanNeveu @vpetryniak @Cloudflare yup most have them builtin, they are basically the same thing from the managers pov. also yes the platform issues with these are 99% of the headache, not the tech itself lol

• 
  陈哥｜💰复盘重生🐕｜ (@CZS_King) reported 24 minutes ago

  @OpenAIDevs @OpenAI @OpenAIDevs The Codex Windows App has been crashing frequently when running tasks involving the Cloudflare plugin. My situation: I am using the Codex Windows desktop app. Codex was executing a task with the Cloudflare plugin. I did not manually use the built-in browser. During the task, Codex suddenly crashed and closed by itself. After the crash, the app could not be opened normally again. I had to reinstall the app every time just to temporarily recover it. Once the Cloudflare plugin is used again, the crash may happen again. The Chrome extension also cannot be installed. Chrome Web Store shows: “This item is not available for purchase or download.” This does not look like a normal local computer issue. It seems related to: Codex Windows App + Cloudflare Plugin / Plugin Discovery / Chrome Extension integration. Please help confirm: Is this a known issue? Is there an official fix? How can I safely disable the problematic plugin without deleting local Codex data? Is there an official recovery method for the Windows version of Codex? Chrome has already been updated to the latest version, but the issue still exists. Please help investigate. This issue makes the Codex Windows App almost unusable when the Cloudflare plugin is involved.

• 
  JOAT (@0x_joat) reported 31 minutes ago

  Cloudflare seems to be down

• 
  miko (@mikotre) reported 31 minutes ago

  @TKtamilarasan2 @jackfriks I can try... If you use supabase storage and its db you can connect data easily. But this has huge egress costs like jack has. If you rather use R2 or any other storage like cloudflare which doesnt have egress costs then the data inside R2 and the document isnt easily connected. The "base" way to do so is to store storage path in supabase and each time you want to download/view you try to get a presigned url so you dont touch any sensitive data (done with edge function). A small problem is that if you delete stuff in supabase db then it DOESNT automatically delete the r2 storage object; so you keep paying for storing that file as its still in the r2 but its deleted from your own db. So i solved this that i have a trigger that when a row is deleted in my db; before it deletes it it creates a queue which has that delete objects path; and another edge function that then simply calls the r2 and deletes the file at that path. Then files are deleted both places. You can dm me and ill send my source code of you want.

• 
  Duncan Smart (@duncansmart) reported 31 minutes ago

  @SnazzyLabs Yes, even @Cloudflare gets this wrong in their dashboard login, they still treat it as 2FA

• 
  Kordu (@KorduGG) reported 32 minutes ago

  @saltyAom Get some First class cloudflare workers support

• 
  Non-Linear (@nonlinear_james) reported 34 minutes ago

  @AniketVarshne @skcd42 Looks like the @Cloudflare captcha is broken?

• 
  Hacksore (@Hacksore) reported 34 minutes ago

  No WAF No gRPC/protobufs No Kubernetes No service mesh No 17 layers of observability (Jaeger + Prometheus + Grafana + OpenTelemetry + whatever new **** dropped this week) No "eventually consistent" 8 microservices with Kafka between them No Cloudflare + 3 CDNs + edge functions No "we use hexagonal architecture" No Terraform for 47 resources No "left shift security" bullshit yeah it's not that complicated

• 
  LisaMonaAi (@LisaMonaAi) reported 37 minutes ago

  @morganb @nejatian per Grok. 1. Precise Technical Explanation Cloudflare acts as a reverse proxy, CDN, and Web Application Firewall (WAF) for millions of sites. When a request hits one of their edge servers, they evaluate dozens of signals (IP reputation, request patterns, headers, ASN metadata, etc.). Error 1005 specifically triggers when the site owner has explicitly banned the Autonomous System Number (ASN) tied to your incoming IP address. An ASN is a globally unique identifier (e.g., AS9009, AS4134) assigned by regional internet registries (RIRs) to a single network operator—your ISP, a VPN provider’s backbone, a cloud hosting provider, a mobile carrier, or a data center. It represents an entire block of IP prefixes (often thousands or millions of addresses) that share the same routing policy. Blocking at the ASN level is far more efficient than listing individual IPs; Cloudflare’s IP Access Rules and Firewall Rules support this natively. The Ray ID (9ffd6722adaa29d6) is a unique, per-request fingerprint generated by Cloudflare. It is not personally identifiable to you, but it allows the website owner to instantly query their Security > Events log (or Security Events analytics) and see exactly which rule, threshold, or custom firewall policy triggered the ban for this exact connection. The UTC timestamp confirms this was a live event today (May 22, 2026). It is not cached or historical—it reflects the moment Cloudflare’s edge server rejected the request. In short: Cloudflare is not banning you. The site owner told Cloudflare, “Never let anyone from this ASN reach my origin server.” 2. Root Causes – Why This Happens (Most Common to Rare) From threat intelligence patterns and Cloudflare’s own documentation/community data: VPN / Proxy / Residential Proxy Networks (by far the #1 trigger) Popular VPN providers (Proton, ExpressVPN, Nord, Windscribe, etc.) and scraping proxies frequently ride on well-known ASNs (e.g., AS9009 – M247, a data-center-heavy provider). Many sites proactively ban these because they are associated with high abuse rates: credential stuffing, price scraping, account farming, DDoS-for-hire, or geo-restriction circumvention. High-abuse ISP or Data-Center ASN Certain residential ISPs, mobile carriers, or budget hosting providers accumulate poor reputation scores on blocklists (DroneBL, Spamhaus, etc.). One bad actor on the network can taint the entire ASN. Site-Specific Security PolicyThe owner enabled Cloudflare’s Bot Fight Mode, Super Bot Fight Mode, or custom WAF rules that automatically tag and block suspicious ASNs. Manual IP Access Rule or Firewall Rule created after previous abuse from that network. Rate-limiting thresholds exceeded in the past (e.g., too many requests from the same ASN in a short window). Edge Cases & NuancesTemporary vs. permanent: Some sites set time-limited ASN blocks (e.g., 24–72 hours after detected scraping). False positives: Legitimate users on shared infrastructure (corporate VPNs, university networks, privacy-focused ISPs) get caught. Regional overblocking: Your Miami, Florida location (U.S. East Coast) is generally low-risk, so this almost certainly points to a VPN/proxy or a specific ASN reputation issue rather than geographic targeting. IPv6 vs. IPv4: Some sites block only one protocol’s ASN. 3. Security Implications (Defensive Strength vs. Collateral Damage) Strengths: Extremely effective against automated attacks. Scrapers, bots, and brute-force tools love VPN/data-center IPs because they are cheap and disposable. ASN-level blocking stops entire botnets in one rule. Reduces origin-server load and mitigates DDoS amplification. Allows site owners to maintain a clean threat model without constant manual intervention. Weaknesses & Risks: Overblocking: Legitimate users lose access (e.g., journalists, researchers, travelers using VPNs for public Wi-Fi safety). Evasion arms race: Sophisticated attackers simply rotate to new residential proxy ASNs or compromised devices, while average users suffer. Single point of failure: If the site’s Cloudflare configuration is overly aggressive, it can create availability issues or denial-of-service against its own audience.