Vercel Confirms Security Incident: Attackers Entered Through Compromised Context.ai OAuth App
Vercel disclosed that attackers accessed internal systems and non-sensitive environment variables after compromising a third-party AI tool used by an employee. The company has engaged Mandiant, notified law enforcement, and contacted an affected subset of customers.
Vercel published a security bulletin on April 20, 2026 confirming that attackers gained unauthorized access to certain internal Vercel systems after first compromising Context.ai, a third-party AI tool used by one of its employees. The attacker used that foothold to take over the employee's Google Workspace account and, from there, reached Vercel environments and environment variables that were not marked as "sensitive."
The company says environment variables explicitly flagged as "sensitive" are stored in a way that prevents them from being read, and it currently has no evidence those values were accessed. Vercel characterized the attacker as "highly sophisticated based on their operational velocity and detailed understanding of Vercel's systems."
What Vercel disclosed
- Origin: a compromise of Context.ai, a third-party AI tool used by a Vercel employee, that allowed takeover of the employee's Vercel Google Workspace account.
- Scope of access: some Vercel environments and any environment variables not marked "sensitive." Variables marked sensitive were not readable.
- Customer impact: a "limited subset" of customers whose Vercel credentials were compromised have been contacted directly and told to rotate credentials. Customers who have not been contacted are not known to be affected.
- Response partners: Mandiant and additional cybersecurity firms; law enforcement notified; Context.ai engaged directly "to understand the full scope of the underlying compromise."
- Services: remain operational. Extensive protection measures and monitoring have been deployed.
Indicator of compromise
Vercel published one IOC in support of the wider community: the Google Workspace OAuth client ID used by the compromised third-party app.
110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com
The company notes that the upstream compromise potentially affected "hundreds of users across many organizations" who had authorized the same OAuth app, and it recommends that Google Workspace administrators and account owners check for usage of the app immediately.
Recommendations to customers
Vercel's bulletin lists six actions for customers to take regardless of whether they were contacted:
- Review account and environment activity logs for suspicious activity.
- Review and rotate environment variables. Secrets that were not marked sensitive "should be treated as potentially exposed and rotated as a priority."
- Adopt the sensitive environment variables feature going forward so that secret values are protected from being read.
- Investigate recent deployments for anything unexpected; delete any that are suspect.
- Ensure Deployment Protection is set to at least Standard.
- Rotate Deployment Protection tokens if set.
Timeline of published updates
| Date and time (PST) | Update |
|---|---|
| April 19, 11:04 AM | IOC published to support wider investigation and vetting. |
| April 19, 6:01 PM | Origin of the attack and additional recommendations published. |
| April 20 | Bulletin last updated. |
The bulletin does not disclose how many customers were contacted, what types of data may have been exfiltrated, or when the unauthorized access began. Vercel says it continues to investigate "whether and what data was exfiltrated" and will contact customers if further evidence of compromise emerges.