Cloudflare WAF blocks MCP Notion tool calls containing shell heredocs / shell metacharacters

Resolved 💬 2 comments Opened May 22, 2026 by vijay2c8 Closed May 25, 2026

Summary

The Notion MCP tool (mcp__claude_ai_Notion__notion-update-page and notion-create-pages) consistently fails when the markdown payload contains common shell-script patterns. The failure happens at Anthropic's Cloudflare edge — the request never reaches Notion's API.

Trigger patterns observed

Any of the following inside the content / new_str / old_str payload reliably triggers the block:

  • Bash heredocs: cat <<EOF ... EOF
  • Compound shell: cmd1 || true, cmd1 && cmd2
  • sed -i 's/.../.../' with quoted replacement
  • Mixed shell metacharacters in fenced code blocks (e.g. an OS-prep walkthrough)

Pure prose updates of the same byte size succeed. Plain bash like kubectl get pods -A succeeds. The trigger appears to be specific token patterns, not payload size or block count.

Error returned to the tool

Streamable HTTP error: Error POSTing to endpoint: <!DOCTYPE html>
... <title>Attention Required! | Cloudflare</title>
<h2>You are unable to access anthropic.com</h2>
Cloudflare Ray ID: 9ff9f60e1807ccd4

Multiple ray IDs from one session (one minute apart, similar payload): 9ff8758d0c4ca6ab, 9ff877a4aa63a6ab, 9ff879a3181ea6ab, 9ff9f60e1807ccd4.

Repro

  1. Create or fetch any Notion page via MCP.
  2. Call notion-update-page with update_content and new_str containing a bash code block with a heredoc, e.g.:

```
`bash
cat >/etc/hosts <<EOF
10.0.0.1 host1
EOF
`
```

  1. Observe the Cloudflare HTML error returned in place of the expected JSON.

Impact

The MCP Notion tools are advertised for documentation workflows. Writing devops/SRE runbooks (kubeadm, helm, ansible, etc.) routinely produces content that includes these shell patterns. Today such runbooks cannot be authored end-to-end via the MCP tool without splitting every shell block into one-command-per-call to stay under the WAF trigger threshold — a heavy workflow tax.

Possible fixes (for the Anthropic team)

  • Tune the Cloudflare WAF ruleset on the MCP proxy endpoint to allow shell-shaped content (this is the obvious one).
  • Or have the Notion MCP server base64-encode the payload server-side before forwarding to Notion, bypassing the WAF rule on the user-facing endpoint.
  • Or document a known workaround in the MCP tool description so users don't lose time diagnosing.

Environment

  • Claude Code (CLI), darwin/amd64
  • Model: Opus 4.7 (1M context)
  • Date observed: 2026-05-22

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗