The Vercel breach: OAuth attack exposes risk in platform environment variables

Posted by queenelvis 21 hours ago

The Vercel breach: OAuth attack exposes risk in platform environment variables(www.trendmicro.com)

Vercel April 2026 security incident - https://news.ycombinator.com/item?id=47824463 - April 2026 (485 comments)

A Roblox cheat and one AI tool brought down Vercel's platform - https://news.ycombinator.com/item?id=47844431 - April 2026 (145 comments)

325 points | 109 commentspage 2

_the_inflator 7 hours ago|

Vercel did a great job with NextJS and supports quite some OS projects.

But even before AI they had some serious struggles according to long time users.

With the introduction of the deployment platform NextJS appeared to be having advantages being deployed there.

What I can say is that Next has some weird things going on under the hood most senior coders know as “it works, no one knows why, don’t touch these 1.000 LoC here”

Build and runtime settings are a mess. Pre building a docker image on a local machine and deploying it on another turned out to be its Achilles Heel. Weird settings prioritize not as documented, different settings in one area lead to changes in default settings somewhere else. ReactJS server components played a role.

In other words: I sense that while being incredibly useful there might more to come.

It ain’t easy for them, V16 was a rewrite which was API stable. I am not sure about that.

hungryhobbit 19 hours ago||

Why is this same story repeated over and over here?

I get it, it's a big story ... but that doesn't mean it needs N different articles describing the same thing (where N > 1).

jackconsidine 19 hours ago||

New information here -- I had no idea that Env enumeration was happening MONTHS before the disclosure for example and that's part of why I come to HN.

Would guess that double digit percent of readers have some level of skin in the game with Vercel

thisisauserid 19 hours ago|||

Maybe this flood is a response to the constant flood of:

"Why do people use Vercel?"

"Because it's cheap* and easy."

*expensive

The_Blade 18 hours ago||

i didn't know it was OAuth related. when did that hit the front page here?

in fact, the sparse details had Barbara warming up her vocal chords

pier25 18 hours ago||

Funny how the headline tries to spin this as an env vars issue.

By far the biggest issue is being able to access the production environment of millions of customers from a Google Workspace. Only a handful of Vercel employees should be able to do that with 2FA if not 3FA.

jwpapi 18 hours ago|

No one should be, why are the enverionmant variables not encrypted itself and the encryption key is stored with your oauth provider ?

progbits 17 hours ago||

Vercel runtime must be able to access the values (so customer's apps can use them). But nobody else should ever be able to. This is the typical amateur hour security but on the other hand, who was naive enough to expect any better from vercel?

greenmilk 19 hours ago||

To me the biggest (but not only) issue is that blindly connecting sensitive tools to 3rd party services has been normalized. Every time I hear the word "claw" I cringe...

rzgrozt 3 hours ago||

i'm glad that i chose cloudflare pages instead of vercel to deploy my website last week :)

krooj 20 hours ago||

Interesting - I wonder if this isn't a case of theft on a refresh token that was minted by a non-confidential 3LO flow w/PKCE. That would explain how a leaked refresh token could then be used to obtain access, but does the Vercel A/S not implement any refresh token reuse detection? i.e.: you see the same R/T more than once, you nuke the entire session b/c it's assumed the R/T was compromised.

pier25 19 hours ago|

> The CEO publicly attributed the attacker's unusual velocity to AI

Unusual velocity? Didn't the attacker have the oauth keys for months?

steve1977 18 hours ago||

But they got it via Context.ai, so there you have it, it's even in the name!

jdiaz97 18 hours ago||

He's just lying tbh, this sounds cool and makes you sound less incompetent

More comments...