Cloudflare Launches Stateful API Vulnerability Scanner Targeting BOLA Flaws
Cloudflare's new Web and API Vulnerability Scanner goes beyond traditional WAF rules by actively probing for logic flaws like Broken Object Level Authorization, the top threat on the OWASP API Security Top 10.
Cloudflare announced the beta of its Web and API Vulnerability Scanner, a new tool that actively hunts for logic flaws in APIs rather than waiting to block attacks at the edge. The first target: Broken Object Level Authorization (BOLA), ranked #1 on the OWASP API Security Top 10.
Why this matters
Traditional WAFs are built to catch syntax-level attacks. SQL injection looks like code where data should be. XSS looks like a script tag in a form field. These have signatures that rules can match.
API vulnerabilities are different. A BOLA attack is a perfectly valid HTTP request that meets the protocol spec but accesses data belonging to another user. There is no malicious payload to detect. The request itself is legitimate, the authorization is just wrong.
No amount of WAF rules can catch that. You need to actually test the API by making requests and checking whether the authorization model holds.
How it works
Cloudflare uses AI to build API call graphs from observed traffic, mapping how endpoints relate to each other and which parameters represent user identity or resource IDs. The scanner then probes these endpoints with modified parameters to check if one user can access another user's resources.
This is stateful scanning. It understands session context, authentication flows, and resource ownership. It is not just fuzzing endpoints with random data.
The scanner runs in Cloudflare's network, so it can leverage the traffic patterns already observed by Cloudflare's WAF and API Shield to identify high-risk endpoints before scanning them.
WAFplanet take
This is Cloudflare acknowledging what practitioners have known for years. WAF rules alone are not enough for API security. The most dangerous API vulnerabilities are logic flaws that look identical to legitimate traffic.
The interesting part is the integration. Most vulnerability scanners are standalone tools that run outside your infrastructure. Cloudflare is embedding scanning into its existing security platform, using real production traffic patterns to guide where to look. That reduces false positives and makes the scanner immediately useful without manual configuration.
For teams using Cloudflare with API Shield, this is a significant upgrade. For teams on other WAFs like Akamai or Imperva, it raises the bar for what API security should look like in 2026.
