Vercel publicly disclosed a security incident on April 20, 2026. Attackers gained unauthorized access to the company’s internal systems through a compromised third-party AI tool. The tool in question was Context.ai, which had been used by a Vercel employee.
The attackers exploited the situation by taking over the employee’s Google Workspace account. This allowed them to access various Vercel environments. They accessed non-sensitive environment variables, which could potentially expose API keys and database credentials.
Vercel has identified a limited number of affected customers and has contacted them to rotate their credentials. However, the incident may impact hundreds of users across different organizations due to the OAuth app associated with Context.ai.
In response to the breach, Vercel is collaborating with Mandiant and law enforcement agencies to investigate the matter further. The company stated that its services remained operational throughout the incident, minimizing disruption for users.
Guillermo Rauch, CEO of Vercel, remarked, “The attackers were able to gain further access through the enumeration of these non-sensitive variables.” Yet, Vercel indicated it has no evidence that sensitive data was accessed during this incident.
A post on BreachForums claimed to be selling Vercel data for two million dollars. Details remain unconfirmed regarding the legitimacy of these claims. Vercel has published specific Indicators of Compromise (IoC) to help Google Workspace administrators check their environments for any relevant OAuth applications.
This incident comes at a time when Vercel is valued at $9.3 billion following its most recent funding round in September 2025. The company is known for being the primary steward of Next.js—a widely used web development framework that boasts six million weekly downloads.
As investigations continue, Vercel emphasizes its commitment to user security and transparency. The company aims to mitigate risks and prevent future incidents while maintaining trust with its user base.
