Uncovering Vulnerabilities: SvelteKit & Vercel
On January 20, 2026, Aikido’s AI pentest agent identified a critical cache deception vulnerability in SvelteKit applications deployed on Vercel. This flaw exposed authenticated responses, allowing attackers to access sensitive data from other users.
Key Highlights:
- Vulnerability Discovered: Attackers could exploit the query parameter
__pathname, leading to unauthorized data cache storage. - Quick Action Taken: Aikido swiftly notified Vercel on January 21, leading to a prompt resolution by February 19, 2026.
- CVE Reported: The issue has been officially registered with CVE number: CVE-2026-27118.
- Broader Impact: Every SvelteKit app on Vercel employing cookies could be susceptible.
This incident emphasizes the crucial role of pentesting in uncovering hidden vulnerabilities, especially in caching systems.
👉 Are you leveraging AI tools for web security? Share your thoughts below!
