VBS-2026-0020CRITICALCVSS 9.2CWE-284Vercel disclosed unauthorized access to some internal systems after a third-party AI tool OAuth compromise was used to take over a Vercel employee Google Workspace account. Vercel reported that non-sensitive environment variables should be treated as exposed and rotated.
Rotate all non-sensitive environment variables immediately, mark secrets as sensitive, enforce 2FA, audit deployment activity logs, and reduce blast radius for workforce OAuth integrations.
How do I check if my Third-party OAuth apps + Cloud environment variables app is affected by vercel April 2026 incident: third-party AI OAuth compromise led to internal access?
Vercel disclosed unauthorized access to some internal systems after a third-party AI tool OAuth compromise was used to take over a Vercel employee Google Workspace account. Search your codebase for Third-party OAuth apps, Cloud environment variables, Workforce identity takeover patterns and verify the remediation has been applied. This is rated CVSS 9.2 — treat it as a live incident if your app is already in production.
Why does Vercel generate code with CWE-284 (critical severity)?
Vercel disclosed unauthorized access to some internal systems after a third-party AI tool OAuth compromise was used to take over a Vercel employee Google Workspace account. Vercel reported that non-sensitive environment variables should be treated as exposed and rotated.
How do I fix vercel April 2026 incident: third-party AI OAuth compromise led to internal access?
Rotate all non-sensitive environment variables immediately, mark secrets as sensitive, enforce 2FA, audit deployment activity logs, and reduce blast radius for workforce OAuth integrations.
What can an attacker do if my app contains VBS-2026-0020?
With CVSS 9.2 (critical), this vulnerability is critical — an attacker can likely gain complete control of your data or infrastructure. Vercel reported that non-sensitive environment variables should be treated as exposed and rotated..