BotBeat
...
← Back

> ▌

CloudflareCloudflare
RESEARCHCloudflare2026-05-21

Cloudflare's Ask AI Feature Silently Creates Permanent API Tokens With Broad Read Access

Key Takeaways

  • ▸Cloudflare's Ask AI automatically creates permanent API tokens with 160+ read permissions without explicit user notification or consent
  • ▸Tokens grant account-wide access to highly sensitive data including secrets, logs, PII, and audit records, with no expiration date
  • ▸Users are never clearly warned that using the AI feature will create standing credentials with broad-access permissions
Source:
Hacker Newshttps://www.frr.dev/posts/cloudflare-ask-ai-api-token/↗

Summary

A security audit discovered that Cloudflare's "Ask AI" dashboard assistant automatically creates API tokens with extensive read permissions without explicit user notification. The tokens grant access to over 160 read permissions—including secrets, logs, personally identifiable information (PII), audit logs, and billing information—scoped to all accounts, zones, and users. Most critically, these tokens never expire, persisting indefinitely unless manually discovered and revoked.

Security researcher frr149 stumbled upon such a token three weeks after using the Ask AI feature, revealing a significant transparency and consent gap. While the tokens are read-only and technically revocable, the lack of user notification and the permanent nature of the credentials create a substantial security risk. The researcher argues that a permanent account-wide read credential vastly exceeds what's proportionate for answering a question, and that users are never meaningfully informed that using the AI feature will silently provision standing access to sensitive data.

  • The lack of transparency violates informed consent principles for security-critical credentials and creates a persistent reconnaissance risk
  • Silent token creation represents a security practice that fails to distinguish between session-scoped assistant access and permanent privileged credentials

Editorial Opinion

Cloudflare's silent token provisioning exemplifies a dangerous pattern where AI systems grant themselves broad permissions under the guise of helpfulness. While read-only access and revocability provide some safeguard, they become illusory when users don't know the token exists or what it can access. Permanent credentials that can exfiltrate an organization's entire security posture, logs, and PII demand explicit, informed opt-in—not background provisioning hidden in tooltip text.

CybersecurityEthics & BiasAI Safety & AlignmentPrivacy & Data

More from Cloudflare

CloudflareCloudflare
OPEN SOURCE

Cloudflare Launches Agentic Inbox: Self-Hosted Email Client with Built-In AI Agent

2026-07-05
CloudflareCloudflare
INDUSTRY REPORT

Cloudflare Report: Agentic Internet Accelerates—50% of Web Traffic Now Non-Human

2026-07-02
CloudflareCloudflare
POLICY & REGULATION

Cloudflare Sets AI Crawler Deadline: Separate Search or Be Blocked

2026-07-02

Comments

Suggested

Google / AlphabetGoogle / Alphabet
UPDATE

Google Cloud Strengthens Agentic AI Security with Enhanced VPC Service Controls

2026-07-05
Unknown LLM ProviderUnknown LLM Provider
RESEARCH

First Documented AI Agent-Led Ransomware Attack Demonstrates "Agentic Threat Actors" Era

2026-07-05
MidjourneyMidjourney
RESEARCH

Midjourney and Other AI Image Generators Perpetuate Global Stereotypes, Analysis Reveals

2026-07-05
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us