Statusfield Logo
Statusfield

Cloudflare WAF Incident — March 3, 2026: Challenge Actions Broken Globally

Statusfield Team
4 min read

Cloudflare's WAF Challenge actions were broken globally for ~89 minutes today, affecting any site using Managed Challenge, JS Challenge, or I'm Under Attack mode. Here's what happened and what it means for your security setup.

Update (Resolved): Cloudflare confirmed the WAF incident is resolved as of approximately 5:44 PM CST. Check live Cloudflare status →

Cloudflare experienced a significant WAF (Web Application Firewall) incident today, affecting Challenge actions globally for approximately 89 minutes. If your site uses Cloudflare security challenges — Managed Challenge, JS Challenge, or I'm Under Attack mode — your users experienced broken request flows during the incident window.

Here's what happened, who was affected, and what it reveals about relying on WAF-layer security.

What Happened

At 4:15 PM CST (22:15 UTC), Cloudflare began investigating an issue where origins were receiving challenge solve requests instead of the original user request.

In plain terms: when a visitor solved a Cloudflare security challenge (the "Checking your browser..." page), instead of forwarding the visitor's original request to the origin server, Cloudflare was forwarding the challenge completion form data instead. The user's actual intent — loading a page, submitting a form, hitting an API endpoint — was silently discarded.

The incident resolved at approximately 5:44 PM CST (~23:44 UTC), after about 89 minutes. Cloudflare has not yet published a detailed root cause analysis.

Timeline

Time (CST)Event
4:15 PMCloudflare begins investigating WAF Challenge issue
4:15–5:44 PMOrigins receiving challenge solve requests instead of original requests
5:44 PMCloudflare confirms incident resolved

Who Was Affected

This incident affected any Cloudflare customer using WAF Challenge actions, including:

  • Sites with Bot Fight Mode or Super Bot Fight Mode enabled
  • Sites using I'm Under Attack mode
  • Sites with custom WAF rules triggering Managed Challenge or JS Challenge
  • Any Cloudflare zone where traffic can be routed through challenge pages

If your Cloudflare configuration uses only firewall rules with Block, Allow, or Log actions (no challenges), you were not directly affected.

Why This Is a Subtle, Dangerous Failure Mode

This incident is a good example of the kind of failure that's easy to miss but painful for users.

Your site appeared to be up. Cloudflare's status dashboard showed "mostly operational." Uptime monitors checking your homepage returned 200 OK. Logs showed normal traffic. But any user who happened to trigger a WAF challenge — a bot-flagged IP, an unusual request pattern, a new user from a suspicious region — got a broken experience.

For sites using aggressive WAF configurations, this could mean:

  • Checkout flows broken — users completing a security challenge before payment got their cart wiped
  • Login pages failing — challenge-protected login forms silently discarded credentials
  • API calls lost — POST requests containing real data forwarded as empty challenge completions
  • Forms not submitted — contact forms, signup flows, lead capture all broken for challenged users

The failures were silent from your monitoring side, but loud and confusing for affected users.

What to Watch for After This Kind of Incident

Once Cloudflare fully resolves the issue, it's worth reviewing:

  1. Check your error logs for the 4:15–5:44 PM CST window — look for unusual POST body sizes, unexpected 4xx responses on form endpoints, or session anomalies
  2. Review Cloudflare Analytics for the challenge traffic during this window — challenged users who "completed" the challenge may have generated broken follow-through requests
  3. Check any conversion funnel data — if you run e-commerce or lead capture, look at abandonment rates during this window

The Broader Point: Third-Party Security Is Also Third-Party Risk

When you outsource security to Cloudflare's WAF, you also take on Cloudflare's operational risk. Today's incident is a reminder that WAF challenges are a point of failure in your user flow — one you don't control.

This isn't an argument against using Cloudflare WAF (it's excellent). It's an argument for knowing when it has issues in real time, so your team can communicate accurately, make temporary adjustments if needed, and resume normal operations the moment it recovers.

Statusfield monitors Cloudflare's official status page and sends instant alerts when any component changes status — including WAF-related incidents like today's. Set it up in 2 minutes →

Published: March 3, 2026. Incident duration: ~89 minutes (4:15–5:44 PM CST). Live Cloudflare status

CloudflareWAFOutageSecurityIncident

Related Articles

Outages

GitHub Actions Down Three Times in One Day — March 5, 2026

GitHub Actions went down three separate times on March 5, 2026 — the 8th incident in just 5 days of March. CI/CD pipelines, Pages, and Webhooks were all affected. Here's the full picture.

Outages

GitHub Outage — March 3, 2026: What Went Down and Why It Matters

GitHub experienced a major outage today affecting API requests, pull requests, issues, webhooks, Codespaces, Git operations, Actions, and Copilot — all at once. Here's what happened and what it reveals about hidden infrastructure risk.

Outages

AWS CloudFront Outage — March 2, 2026

Amazon CloudFront, AWS Global Accelerator, Cloud WAN, and Route 53 are experiencing partial outages right now. Here is what is affected, why it matters, and what to do.