Cloudflare has patched a critical zero-day flaw in its Web Application Firewall (WAF) that allowed attackers to bypass its defenses and access origin web servers.