Cloudflare BYOIP Outage - February 2026 Incident Overview

On 20 February 2026 at 1748 UTC, a configuration change in Cloudflare's Addressing API unintentionally withdrew about 1,100 BYOIP prefixes from the global network. The withdrawal caused BGP routes to disappear, leading to timeouts, 403 errors on the 1.1.1.1 dashboard, and service disruption for affected customers. Restoration required manual and automated re‑advertisement, lasting over six hours.

Root Causes and Failure Sequence

The incident originated from a sub‑task designed to clean up stale BYOIP prefixes. A bug in the API query (GET /v1/prefixes?pending_delete) returned incorrect results, prompting the system to withdraw active prefixes. Because the Addressing API propagates changes instantly to edge locations, the erroneous withdrawals were broadcast via Border Gateway Protocol, causing rapid loss of reachability for the affected IP address blocks.

Addressing API Automation Issue

The automated cleanup routine was part of Cloudflare's "Code Orange Fail Small" initiative, aiming to replace manual interventions with safe, health‑mediated workflows. The faulty logic misidentified active prefixes as candidates for deletion, triggering mass withdrawal before the bug was detected.

Impact on Services

Approximately 25 % of BYOIP prefixes (1,100 of 4,306) were removed, affecting any product bound to those ranges. Customers observed BGP path hunting, increased latency, and HTTP 403 responses on the 1.1.1.1 dashboard. DNS resolution over the public resolver remained functional.

Remediation Actions

Engineers reverted the configuration change, re‑advertised prefixes via the dashboard, and manually restored the remaining ~300 prefixes at 2303 UTC. Post‑incident, Cloudflare will add validation layers to the cleanup sub‑task, introduce staged rollouts for Addressing API changes, and enhance monitoring of BGP advertisement health.