Vercel's April 2026 security breach originated from a compromised Context.ai Google Workspace OAuth app, which allowed an attacker to access non-sensitive environment variables for a subset of Vercel customers. The key takeaway is that environment variables not marked 'sensitive' are still at risk and should be treated as potentially exposed. Recommended steps include pulling environment variables locally using the Vercel CLI, scanning them with GitGuardian to identify real secrets, rotating any exposed credentials in upstream services, and enabling Vercel's sensitive environment variable flag going forward. Additional hardening steps include reviewing activity logs, auditing recent deployments, and ensuring deployment protection is enabled.
Table of contents
Investigate, Then RotateScan Your Environment VariablesHarden Controls for the Next IncidentSort: