A critical cache deception vulnerability (CVE-2026-27118) was discovered in SvelteKit apps deployed on Vercel. The SvelteKit Vercel adapter's `__pathname` query parameter — intended for Incremental Static Regeneration — allows any request path to be overridden without restriction. By crafting a URL under the `/_app/immutable/` prefix (which Vercel forcefully caches) and using `__pathname` to rewrite it to a sensitive endpoint like `/api/session`, an attacker can trick a logged-in victim into visiting the URL. Vercel's caching layer then stores the authenticated response publicly, allowing the attacker to retrieve the victim's private data without any cookies. The vulnerability required no misconfiguration — just a default SvelteKit + Vercel setup with cookie-based authentication. Vercel has automatically patched all users by returning 404 on `/_app/immutable/` paths and stripping the `__pathname` parameter. The bug was originally discovered by an AI pentesting agent from Aikido Security.
Table of contents
Quick SummaryDiscoveryCache Poisoning?Cache Deception!The aftermathKey TakeawaysFix statusTimelineSort: