Vulnerability Disclosure on SSL for SaaS v1 (Managed CNAME)
Cloudflare, Friday, August 1st, 2025
Earlier this year, a group of external researchers identified and reported a vulnerability in Cloudflare's SSL for SaaS v1 (Managed CNAME) product offering through Cloudflare's bug bounty program.
We officially deprecated SSL for SaaS v1 in 2021; however, some customers received extensions for extenuating circumstances that prevented them from migrating to SSL for SaaS v2 (Cloudflare for SaaS). We have continually worked with the remaining customers to migrate them onto Cloudflare for SaaS over the past four years and have successfully migrated the vast majority of these customers. For most of our customers, there is no action required; for the very small number of SaaS v1 customers, we will be actively working to help migrate you to SSL for SaaS v2 (Cloudflare for SaaS).