Cloudflare is deploying a fix for a bug affecting customers using Bot Management with Cloudflare for SaaS origin-to-origin (O2O) configurations.
These customers may have observed an issue where the __cf_bm cookie was repeatedly being reset on each O2O request. This occurred because the bot cookie code runs twice during O2O requests – once on the eyeball zone and once on the origin zone – causing the cookie to be overwritten due to a mismatch in origin and eyeball domains.
A fix is being implemented to prevent the __cf_bm cookie from being set on the origin hop of O2O requests. This will allow eyeball zones to properly utilize session scoring functionality and improve cacheability for O2O requests. The fix is expected to be completed by March 16, 2026.
Posted Mar 12, 2026 - 20:40 UTC
This incident affected: Cloudflare Sites and Services (Bot Management).