Best of VercelApril 2026

  1. 1
    Article
    Avatar of vercelVercel·5w

    Summary of CVE-2026-23869

    A high-severity vulnerability (CVSS 7.5) tracked as CVE-2026-23869 affects React Server Components in Next.js 13.x through 16.x. A specially crafted HTTP request to any App Router Server Function endpoint can trigger excessive CPU usage upon deserialization, leading to Denial of Service. Vercel has deployed WAF mitigations to protect hosted projects automatically, but users must still upgrade to patched versions (15.5.15 or 16.2.3) as the WAF alone is not sufficient protection.

  2. 2
    Article
    Avatar of vercelVercel·6w

    Query and manage Marketplace databases from the dashboard

    Vercel now lets developers run SQL queries, view and edit table data, and inspect database schemas directly from the Vercel dashboard. The feature supports marketplace integrations including AWS Aurora Postgres, Neon, Prisma, and Supabase. Three new tabs are added to the integration resource page: Query (run SQL, export as CSV/JSON/Markdown), Data Editor (spreadsheet-like row editing with atomic commits), and Schema (visual graph of tables and relations). Currently available to users with Owner permissions.

  3. 3
    Article
    Avatar of vercelVercel·4w

    Vercel Flags is now generally available

    Vercel Flags is now generally available as a built-in feature flag provider on the Vercel platform. It allows teams to create and manage feature flags with targeting rules, user segments, and environment controls directly from the Vercel Dashboard. The Flags SDK offers framework-native integration for Next.js and SvelteKit, requiring only a few lines of code to define and use flags. For teams on other frameworks or custom backends, the adapter supports the OpenFeature standard for provider-agnostic usage.

  4. 4
    Article
    Avatar of collectionsCollections·4w

    Vercel discloses security incident involving unauthorized internal access

    A Vercel security breach in April 2026 was traced to a compromised OAuth token from Context.ai, a third-party AI tool connected to a Vercel employee's Google Workspace account. Context.ai had been breached via an AWS compromise and an infostealer infection, allowing attackers to use persistent OAuth tokens to access Vercel's internal systems. Attackers enumerated non-sensitive environment variables — which Vercel did not encrypt at rest by default — and accessed customer API keys, GitHub tokens, npm tokens, and source code. The incident highlights the danger of OAuth sprawl, especially as AI tools request broad permissions and employees adopt them without IT review. Vercel has shipped over 20 product improvements and recommends customers rotate all credentials stored in non-sensitive environment variables. The broader pattern mirrors previous breaches (Codecov, CircleCI, Snowflake, Okta) and points to a structural gap in how OAuth grants and non-human identities are governed.

  5. 5
    Article
    Avatar of vercelVercel·6w

    Custom Class Serialization in Workflow DevKit

    Vercel's Workflow DevKit now supports custom class serialization via the new @workflow/serde package. Developers can define how their class instances are serialized and deserialized across workflow and step function boundaries by implementing two static methods using WORKFLOW_SERIALIZE and WORKFLOW_DESERIALIZE symbols. The feature is demonstrated using the @vercel/sandbox class, where instances are automatically converted to plain data when crossing step boundaries and reconstructed on the other side, enabling seamless passing of complex objects in durable workflows.

  6. 6
    Article
    Avatar of vercelVercel·2w

    Vercel now supports Pro plan in Stripe Projects

    Vercel now supports Pro plan provisioning and upgrades directly from Stripe Projects using shared payment tokens (SPTs). Developers and agents can manage Vercel plan changes programmatically via the Stripe CLI without switching between dashboards. The feature supports both upgrade and downgrade flows and builds on the earlier Stripe Projects developer preview. Getting started requires installing the Stripe projects plugin and running a single CLI command.

  7. 7
    Article
    Avatar of vercelVercel·4w

    How GitBook serves 30,000 sites with sub-second content updates

    GitBook hosts 30,000 documentation sites on a single Vercel deployment, serving 120 million monthly page views. The engineering team solved multi-tenant cache invalidation by using Next.js tag-based caching with Vercel's `use cache` directive, enabling content updates to propagate globally within 300ms after a merge event. The system processes 40,000 cache invalidations daily without triggering broad purges across unrelated sites. A notable infrastructure challenge is that 41% of traffic now comes from AI crawlers, which create less predictable cache access patterns than human readers. Future work includes adaptive documentation that personalizes content per reader, adding further complexity to the caching model.

  8. 8
    Article
    Avatar of vercelVercel·6w

    Gemma 4 on AI Gateway

    Google's Gemma 4 models are now available on Vercel AI Gateway. Two variants are offered: a 26B Mixture-of-Experts model (activating only 3.8B parameters during inference for lower latency) and a 31B Dense model (all parameters active, better for fine-tuning). Both support 256K context, 140+ languages, native vision, function-calling, agentic workflows, and structured JSON output. Access them via the AI SDK using model identifiers `google/gemma-4-26b-a4b-it` or `google/gemma-4-31b-it`, with no markup and no separate provider account required.

See all Vercel archives