Cloudflare's Ask AI Feature Silently Creates Permanent API Tokens With Broad Read Access

Summary

A security audit discovered that Cloudflare's "Ask AI" dashboard assistant automatically creates API tokens with extensive read permissions without explicit user notification. The tokens grant access to over 160 read permissions—including secrets, logs, personally identifiable information (PII), audit logs, and billing information—scoped to all accounts, zones, and users. Most critically, these tokens never expire, persisting indefinitely unless manually discovered and revoked.

Security researcher frr149 stumbled upon such a token three weeks after using the Ask AI feature, revealing a significant transparency and consent gap. While the tokens are read-only and technically revocable, the lack of user notification and the permanent nature of the credentials create a substantial security risk. The researcher argues that a permanent account-wide read credential vastly exceeds what's proportionate for answering a question, and that users are never meaningfully informed that using the AI feature will silently provision standing access to sensitive data.

• The lack of transparency violates informed consent principles for security-critical credentials and creates a persistent reconnaissance risk
• Silent token creation represents a security practice that fails to distinguish between session-scoped assistant access and permanent privileged credentials

Editorial Opinion

Cloudflare's silent token provisioning exemplifies a dangerous pattern where AI systems grant themselves broad permissions under the guise of helpfulness. While read-only access and revocability provide some safeguard, they become illusory when users don't know the token exists or what it can access. Permanent credentials that can exfiltrate an organization's entire security posture, logs, and PII demand explicit, informed opt-in—not background provisioning hidden in tooltip text.