Cloudflare WAF blocks MCP Notion tool calls containing shell heredocs / shell metacharacters
Summary
The Notion MCP tool (mcp__claude_ai_Notion__notion-update-page and notion-create-pages) consistently fails when the markdown payload contains common shell-script patterns. The failure happens at Anthropic's Cloudflare edge — the request never reaches Notion's API.
Trigger patterns observed
Any of the following inside the content / new_str / old_str payload reliably triggers the block:
- Bash heredocs:
cat <<EOF ... EOF - Compound shell:
cmd1 || true,cmd1 && cmd2 sed -i 's/.../.../'with quoted replacement- Mixed shell metacharacters in fenced code blocks (e.g. an OS-prep walkthrough)
Pure prose updates of the same byte size succeed. Plain bash like kubectl get pods -A succeeds. The trigger appears to be specific token patterns, not payload size or block count.
Error returned to the tool
Streamable HTTP error: Error POSTing to endpoint: <!DOCTYPE html>
... <title>Attention Required! | Cloudflare</title>
<h2>You are unable to access anthropic.com</h2>
Cloudflare Ray ID: 9ff9f60e1807ccd4
Multiple ray IDs from one session (one minute apart, similar payload): 9ff8758d0c4ca6ab, 9ff877a4aa63a6ab, 9ff879a3181ea6ab, 9ff9f60e1807ccd4.
Repro
- Create or fetch any Notion page via MCP.
- Call
notion-update-pagewithupdate_contentandnew_strcontaining a bash code block with a heredoc, e.g.:
````
bash`
cat >/etc/hosts <<EOF
10.0.0.1 host1
EOF
```
- Observe the Cloudflare HTML error returned in place of the expected JSON.
Impact
The MCP Notion tools are advertised for documentation workflows. Writing devops/SRE runbooks (kubeadm, helm, ansible, etc.) routinely produces content that includes these shell patterns. Today such runbooks cannot be authored end-to-end via the MCP tool without splitting every shell block into one-command-per-call to stay under the WAF trigger threshold — a heavy workflow tax.
Possible fixes (for the Anthropic team)
- Tune the Cloudflare WAF ruleset on the MCP proxy endpoint to allow shell-shaped content (this is the obvious one).
- Or have the Notion MCP server base64-encode the payload server-side before forwarding to Notion, bypassing the WAF rule on the user-facing endpoint.
- Or document a known workaround in the MCP tool description so users don't lose time diagnosing.
Environment
- Claude Code (CLI), darwin/amd64
- Model: Opus 4.7 (1M context)
- Date observed: 2026-05-22
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗