CVE-2026-27118 is a vulnerability classified under CWE-346 (Origin Validation Error) affecting the @sveltejs/adapter-vercel package used in the SvelteKit framework for building web applications. The flaw arises because an internal query parameter intended for Incremental Static Regeneration (ISR) is exposed and accessible on all routes, regardless of user or route context. This parameter controls caching behavior, and its exposure allows an attacker to craft URLs that cause sensitive, user-specific responses to be cached improperly. When a victim, who is authenticated, visits such a maliciously crafted link, the server caches the personalized response. Subsequent requests by other users may then receive this cached sensitive data, leading to information disclosure. The vulnerability does not require the attacker to have privileges or authentication but does require the victim's interaction with the malicious link. Vercel’s WAF offers some mitigation by filtering suspicious requests, but it is not a complete fix. The issue was addressed in version 6.3.2 of the adapter by properly restricting access to the internal query parameter and improving origin validation to prevent cache poisoning. The CVSS 4.0 score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction and resulting in limited confidentiality impact. No known exploits have been reported in the wild as of now.

The primary impact of this vulnerability is the potential leakage of sensitive user-specific data due to cache poisoning. Organizations using vulnerable versions of @sveltejs/adapter-vercel on Vercel may inadvertently serve cached responses containing private information to unauthorized users. This can lead to breaches of confidentiality, loss of user trust, and potential regulatory compliance violations, especially in sectors handling sensitive personal or financial data. Since the vulnerability requires user interaction, phishing or social engineering attacks could be leveraged to exploit it. The scope includes any web application built with SvelteKit using the vulnerable adapter version and deployed on Vercel, which is a popular hosting platform. While availability and integrity impacts are minimal, the confidentiality breach risk is significant for affected deployments. The presence of Vercel’s WAF reduces the likelihood of exploitation but does not eliminate it, making timely patching critical. Organizations with high-value or sensitive user data are at greater risk, and failure to remediate could result in reputational damage and legal consequences.

1. Upgrade the @sveltejs/adapter-vercel package to version 6.3.2 or later immediately to apply the fix that restricts access to the internal ISR query parameter and prevents cache poisoning. 2. Review and audit caching configurations in SvelteKit applications to ensure no sensitive data is cached improperly, especially when using ISR or similar mechanisms. 3. Implement strict validation and sanitization of query parameters to prevent unauthorized manipulation of cache keys. 4. Employ Content Security Policy (CSP) and other HTTP security headers to reduce the risk of phishing and social engineering attacks that could trick users into clicking malicious links. 5. Monitor application logs and cache behavior for anomalies indicating potential cache poisoning attempts. 6. If using Vercel, verify that the WAF is enabled and configured correctly, but do not rely solely on it as a mitigation. 7. Educate users about the risks of clicking unknown or suspicious links, especially when authenticated. 8. Consider implementing additional application-layer controls to segregate cached content by user identity or session where feasible.