Vercel's April 2026 Security Incident — What to Check in Your App Right Now

On April 19, 2026, Vercel disclosed a security incident affecting a subset of projects. The specifics matter less than the response checklist every team on Vercel — and, honestly, every team on any preview-deployment platform — should run through now. Here is the one we ship to customers.

1. Rotate everything that was in .env — even if you don't think it leaked

When a platform provider discloses an incident, the first principle is: assume anything that lived in their environment storage was readable. Rotate Stripe secrets, OpenAI / Anthropic keys, Supabase service role, Clerk / Auth0 credentials, Resend, Neon / PlanetScale URLs. Rotating is a one-hour job; reasoning about blast radius takes days.

If you're not sure which keys are in which project, vercel env ls — for every project — dumps the full list.

2. Check preview-deployment URLs for noindex, password protection, or expiry

Vercel's preview deployments are permanent by default and publicly reachable if you know the URL. Past incidents taught us that URL leaks compound fast: they land in Slack, Notion, Linear attachments, and then in search indexes.

Audit:

• vercel env pull on a few old previews → they still work? They shouldn't hold prod creds.
• Any deployment without the noindex meta + password protection?
• Preview URLs with .vercel.app exposed in public Notion / Miro / Figma shares?

3. Re-scan for secrets in your built bundle

Env-var naming is the #1 way secrets escape. Anything prefixed NEXT_PUBLIC_ or VITE_ ships to the browser. A Vercel incident doesn't move those back server-side — you have to move them yourself.

curl -s https://your-app.vercel.app/_next/static/chunks/*.js |   grep -E "(sk_live|rk_live|sk-|AKIA|AIza|gh[pous]_)"

Anything that prints is a bug you already had, independent of Vercel.

4. Re-audit Edge Function bindings

Vercel Edge Functions run in an isolated runtime but share the project's env namespace. If a binding is marked "encrypted" in the dashboard, it's only encrypted at rest — at runtime it's plain-text in the process. Verify with vercel env ls --environment=production that nothing got promoted from preview to production accidentally.

5. Review deployment-protection logs

Vercel logs show who triggered a deploy, from which git commit, at what time. Look for:

• Deploys triggered from branches you don't own.
• GitHub App events outside business hours.
• /api/* route hits with unusual user-agents during the incident window.

How VibeWShield helps — automatically

Our Vercel scanner (app/scanners/infra/cloud_providers/vercel.py) checks:

• Exposed build manifest (/_next/static/...)
• Secret patterns in chunked bundles
• Preview URLs without noindex / protection (fingerprinted via response headers)
• CORS / CSP regressions between deployments

Paste your app URL at /scan. Deep mode runs these checks in under three minutes, no credit card, no signup. If Vercel's incident disclosure updates with new specifics, we'll ship a targeted rule inside 24 hours — the scanner framework makes that a one-file change.

Rotate first, audit second, and scan third. In that order.