Security Researcher Demonstrates Chain of Self-XSS and CSRF Vulnerabilities in Cloudflare Access

Summary

A security researcher has documented a sophisticated vulnerability chain affecting Cloudflare Access's Temporary Auth approval mechanism. The attack combines three individually low-severity bugs—a Self-XSS on the SAML SSO endpoint, cookie tossing vulnerability on the *.cloudflareaccess.com domain, and a predictable CSRF token—to achieve a single-click bypass of the access request approval flow. The vulnerabilities were reported through HackerOne to Cloudflare's security team.

The attack exploits the authentication and CSRF protection mechanisms that guard Cloudflare's Temporary Auth feature, which enforces approval-based access to protected applications. By chaining the three bugs together, an attacker can forge unauthorized access approvals without legitimate authorization. The researcher notes that after an initial fix was deployed, a second Self-XSS variant was discovered in Cloudflare's Browser Isolation feature, allowing the entire attack chain to be replayed, demonstrating the systemic nature of the vulnerability class.

• A second variant in Browser Isolation suggests broader validation issues across Cloudflare's security infrastructure

Editorial Opinion

This disclosure highlights a critical lesson in vulnerability assessment: individually dismissing bugs as 'informative' or 'self-XSS' can obscure systemic security weaknesses when those bugs are carefully combined. The researcher's persistence in finding a chain after the initial fix—and discovering a second variant—suggests that organizations need to adopt more holistic security reviews that consider how low-impact vulnerabilities might interact. This case demonstrates why comprehensive security audits matter as much as individual bug fixes.