The vulnerabilities arise from logic flaws in cross-tenant security controls. Cloudflare uses shared infrastructure that accepts connections from all tenants, which makes it possible for attackers to exploit these vulnerabilities. To do so, an attacker only needs to know the targeted web server’s IP address and have access to a free Cloudflare account.
For Authenticated Origin Pulls, an attacker can set up a custom domain with Cloudflare and point the DNS A record to the victim’s IP address. They can then disable all protection features for that custom domain in their Cloudflare account and route their attacks through Cloudflare’s infrastructure. This approach allows attackers to bypass the victim’s protection features.
