Technology

Cloudflare outage disrupts websites worldwide

Edge DNS WAF Workers centralization turns fault into global event, Security as a service becomes single point of failure

Images

Cloudflare, a widely-used web infrastructure and security service, experienced issues on February 20, 2026 that caused some users to report service disruptions on apps and websites (Copyright 2022 The Associated Press. All rights reserved) Cloudflare, a widely-used web infrastructure and security service, experienced issues on February 20, 2026 that caused some users to report service disruptions on apps and websites (Copyright 2022 The Associated Press. All rights reserved) independent.co.uk
Chaos online as Cloudflare outage crashes half of the internet Chaos online as Cloudflare outage crashes half of the internet dailymail.co.uk

A fresh Cloudflare outage has again demonstrated what “the internet is decentralized” really means in 2026: one private edge-security middleman sneezes, and a meaningful slice of the public web catches pneumonia.

Users reported widespread failures reaching sites and services that sit behind Cloudflare’s network. Cloudflare acknowledged “issues with our services and/or network” and warned that users could see “errors or timeouts” while it worked to restore service, according to The Independent.

The story is not that something broke—everything breaks—but *where* it broke. Cloudflare is not merely a CDN anymore. It is an integrated stack: authoritative and recursive DNS through 1.1.1.1 and managed DNS, WAF and bot mitigation, DDoS scrubbing, TLS termination, Zero Trust access controls, and an application runtime via Workers. When a company becomes the default answer to “put it behind Cloudflare,” it also becomes a de facto control plane for large parts of the web.

Outages in such a stack can propagate in several ways. DNS is the classic amplifier: a control-plane failure can prevent zone updates, break resolution for proxied hostnames, or cause stale/incorrect records to persist in caches. At the routing layer, any instability in BGP announcements—withdrawals, route leaks, or misconfigurations—can make Cloudflare’s anycasted IP space partially unreachable from certain networks, producing cases where “it works for me” depends on your ISP and geography. And at the application edge, a bad configuration push (or a dependency inside the Workers runtime) can turn a localized problem into a global one in minutes.

The Daily Mail called the disruption “internet chaos” and claimed it “crashes half of the internet.” Hyperbole aside, the instinct is correct: consolidation at the edge turns outages into headline events.

The point here is simple. “Security as a service” has become “security as a choke point.” The market did what markets do—optimized for convenience and price—then discovered the bill arrives as systemic risk. Multi-CDN setups, independent authoritative DNS, and tested failover paths exist, but they cost real money and operational discipline. Most organizations prefer the cheaper illusion of resilience: one vendor, one dashboard, one contract, one very large blast radius.

Cloudflare will restore service, publish a postmortem, and promise improved guardrails. Meanwhile, the internet will continue outsourcing its nervous system to a handful of companies—until the next time “the cloud” reminds everyone it’s just someone else’s computer, with someone else’s outage window.