A vulnerability in Cloudflare's Mutual TLS implementation allowed certificates from one zone to be used in another zone through session resumption, tracked as CVE-2025-23419. The security flaw was discovered through Cloudflare's Bug Bounty Program and was mitigated within 32 hours by disabling TLS session resumption for mTLS customers.
https://blog.cloudflare.com/resolving-a-mutual-tls-session-resumption-vulnerability/