Unrated severityNVD Advisory· Published Sep 7, 2023· Updated Sep 26, 2024

Insufficient Validation on Override Codes for Always-Enabled WARP Mode

CVE-2023-3747

Description

Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lack of server side validation, an attacker with local access to the device, could extend the maximum allowed disconnected time of WARP client granted by an override code by changing the date & time on the local device where WARP is running.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A local attacker can bypass WARP Safe Mode's maximum disconnection timeout by altering the device's system clock.

Vulnerability

CVE-2023-3747 concerns a client-side time-bypass in Cloudflare's WARP client (used in 1.1.1.1 + WARP and Zero Trust deployments). Administrators can configure WARP to prevent end users from disabling the VPN and issue override codes that permit temporary disconnection. However, the server does not validate the device's local time when enforcing the override code timeout. By tampering with the system clock, an attacker with local access to the device can effectively extend the allowed disconnection period beyond the administrator-defined limit. All versions of WARP client before the fix are affected [1].

Exploitation

The attacker must have local access to the device (e.g., physical possession or remote desktop with user privileges) and the device must have received a valid override code from the administrator [1]. The attacker obtains the override code (e.g., from the user's screen or logs) or takes advantage of an already granted override session. By changing the device's date and time to an earlier point within the allowed code validity window, the client's local enforcement of the timeout resets or extends the remaining duration. No authentication to Cloudflare servers is required beyond possession of the device [2].

Impact

Successful exploitation defeats the administrator's intent to enforce WARP connectivity. The attacker can keep WARP disabled on the device for an extended period, bypassing the security controls designed for Zero Trust environments. This results in a loss of integrity of the policy enforcement (compromise of the WARP client's safe mode) and potentially exposes the device to threats that WARP would have mitigated (e.g., unencrypted traffic, malware). The privilege level is local user; the scope is confined to the affected device [1][2].

Mitigation

Cloudflare released a fix for this vulnerability on 2023-09-07. Administrators should upgrade WARP clients to the latest version available through the official download channels for Windows, macOS, iOS, Android, and Linux [1][2]. No workaround exists for unpatched clients; the feature lock must remain enabled with override code controls, but the local time manipulation vector remains until the update is applied. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Warpdotdev/Warpllm-fuzzy
Cloudflare/WARP Clientcpe-rescue
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/mitrerelated
play.google.com/store/apps/detailsmitrerelease-notes

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000