Vercel April 2026 security incident

Posted by colesantiago 6 days ago

Vercel April 2026 security incident(www.bleepingcomputer.com)

https://vercel.com/kb/bulletin/vercel-april-2026-security-in...

682 points | 390 commentspage 5

0xy 6 days ago|

This is why you pay a real provider for serious business needs, not an AWS reseller. Next.js is a fundamentally insecure framework, as server components are an anti-pattern full of magic leading to stuff like the below. Given their standards for framework security, it's not hard to believe their business' control plane is just as insecure (and probably built using the same insecure framework).

Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.

https://aws.amazon.com/security/security-bulletins/rss/aws-2...

embedding-shape 6 days ago||

> Next.js is the new PHP, but worse, since unlike PHP you don't really know what's server side and what's client side anymore. It's all just commingled and handled magically.

Wasn't unheard of back in the day, that you leaked things via PHP templates, like serializing and adding the whole user object including private details in a Twig template or whatever, it just happened the other way around kind of. This was before "fat frontend, thin backend" was the prevalent architecture, many built their "frontends" from templates with just sprinkles of JavaScript back then.

sbarre 6 days ago|||

People say "Next.js is the new PHP" because it's the most popular and prominent tooling out there, and so by sheer number of available targets it's the one that comes up the most when things go wrong like this.

But there are more people trying to secure this framework and the underlying tools than there would be on some obscure framework or something the average company built themselves.

Also "pay a real provider", what does that mean? Are you again implying that the average company should be responsible for _more_ of their own security in their hosting stack, not less?

Most companies have _zero_ security engineers.. Using a vertically-integrated hosting company like Vercel (or other similar companies, perhaps with different tech stacks - this opinion has nothing to do with Next or Node) is very likely their best and most secure option based on what they are able to invest in that area.

bakugo 6 days ago||

Next.js is the polar opposite of PHP, in a way.

PHP was so simple and easy to understand that anyone with a text editor and some cheap shared hosting could pick it up, but also low level enough that almost nothing was magically done for you. The result was many inexperienced developers making really basic mistakes while implementing essential features that we now take for granted.

Frameworks like Next.js take the complete opposite approach, they are insanely complex but hide that complexity behind layers and layers of magic, actively discouraging developers from looking behind the curtain, and the result is that even experienced developers end up shooting themselves in the foot by using the magical incantations wrong.

qudat 6 days ago||

Totally agree. Nextjs is a vehicle to sell their PaaS, every other feature is a coincidence.

What’s worse is vercel corrupted the react devs and convinced them that RSC was a good idea. It’s not like react was strictly in good hands at Facebook but at least the team there were good shepherds and trying to foster the ecosystem.

nothinkjustai 6 days ago||

Looks like their rampant vibe coding is starting to catch up to them. Expect to see many pre vulns like this in the future.

jimmydoe 6 days ago||

what's the cause of the breach?

raw_anon_1111 6 days ago||

Why does anyone running a third party tool have access to all of their clients’ accounts? I can’t imagine something this stupid happening with a real service provider.

I see Vercel is hosted on AWS? Are they hosting every one on a single AWS account with no tenant isolating? Something this dumb could never happen on a real AWS account. Yes I know the internal controls that AWS has (former employee).

Anyone who is hosting a real business on Vercel should have known better.

I have used v0 to build a few admin sites. But I downloaded the artifacts, put in a Docker container and hosted everything in Lambda myself where I controlled the tenant isolation via separate AWS accounts, secrets in Secret Manager and tightly scoped IAM roles, etc.

eddythompson80 6 days ago|

Is AWS security boundary the AWS account? Are you expecting Vercel to provision and manage an AWS account per user? That doesn’t make any sense man, though makes sense if you’re a former AWS employee.

raw_anon_1111 6 days ago||

Yes the security boundary is the AWS account.

It doesn’t make sense for a random employee who mistakenly uses a third party app to compromise all of its users it’s a poor security architecture.

It’s about as insecure as having one Apache Server serving multiple customer’s accounts. No one who is concerned about security should ever use Vercel.

eddythompson80 6 days ago||

> It’s about as insecure as having one Apache Server serving multiple customer’s accounts.

You really have no clue what you’re talking about don’t you? Were you a sales guy at AWS or something?

icedchai 5 days ago|||

He works for an AWS consulting company, where they promote cloud native solutions, driving cloud spend towards AWS. In many cases, managed cloud services are actually the way to go.

However, to say that serving multiple customers with Apache is "insecure" is inaccurate. There are ways to run virtual hosts under different user IDs, providing isolation using more traditional Unix techniques.

raw_anon_1111 5 days ago||

No, if they said they were running on separate VMs I wouldn’t have any issues.

Absolutely no serious company would run their web software on a shared Apache server with other tenants.

How did that shared hosting work out for Vercel?

icedchai 5 days ago||

As always, "it depends" on the application. So I've worked for several B2B SaaS companies. None of them used a VM per tenant. In some cases, we used a database (schema...) or DB cluster per tenant.

I've read about the Vercel incident. Given the timeline (22 months?!), it sounds like they had other issues well beyond shared hosting.

scarface_74 5 days ago||

There is a difference between a SaaS offer where you are running your code and serving multiple customers on one server/set of servers and running random customer code like Vercel.

icedchai 5 days ago||

I know. I just don't think code isolation was their only issue. I've read about the incident.

otterley 6 days ago||||

Hey, knock it off. If you disagree with someone, present a substantive counterargument.

eddythompson80 5 days ago||

Already did. There is no fixing a pretender. Someone arguing akin to “the security boundary of a Linux system is the electrical strip”

raw_anon_1111 6 days ago|||

Well, I know that you have never heard of someone using a third party SaaS product at any major cloud provider compromising all of their customers accounts.

Are you really defending Vercel as a hosting platform that anyone should take seriously?

eddythompson80 6 days ago||

How is any of that a defense of Vercel? If you understood how any of this works you’d know that it isn’t. Vercel is a manifestation of what’s wrong with web development, yet it has nothing to do with “creating an AWS account per user account” nor “running a reverse proxy process per user account”.

raw_anon_1111 6 days ago||

Because the same “web development” done with v0, downloaded, put in a Docker container, deployed to Lambda, with fine grain access control on the attached IAM role (all of which I’ve done) wouldn’t have that problem.

Oh and I never download random npm packages to my computer. I build and run everything locally within Docker containers

It has absolutely nothing to do with “the modern state of web development”, it’s a piss poor security posture.

Again, I know how the big boys do this…

rvz 6 days ago||

There is no serious reason to use Vercel, other than for those being locked into the NextJs ecosystem and demo projects.

allthetime 6 days ago|

I recently got hit by a car on my bike. While I was starting the claim filing process the web portal for ICBC (British Columbia insurance) was acting a little funky / stalling / and then gave me a weird access error. Down at the bottom of the error page was a little grey underlined link that said “vercel”.

I’m not exactly surprised, but it seems like the unserious, ill-informed and lazy are taking over. There is absolutely zero reason why a large, essential public service should be overspending and running on an unnecessary managed service like vercel… yet, here we are.

tamimio 6 days ago||

Another win for self-hosters, I host my own vercel (coolify) and it works well, all under my control and only expose what I want.

jamesfisher 6 days ago||

Reminder the Vercel CEO is a genocide supporter, if you need more reasons to move away from it.

gib444 6 days ago|

You forgot the source to backup your claim

ascorbic 6 days ago|||

https://x.com/rauchg/status/1972669025525158031

jofzar 6 days ago||

Oof

jeromegv 6 days ago|||

https://techforpalestine.org/vercel

willamhou 6 days ago||

[dead]

ItsClo688 6 days ago|

[dead]

More comments...