CVE-2026-27118 affects the @sveltejs/adapter-vercel package used in the SvelteKit framework, which facilitates rapid development of performant web applications. The vulnerability arises from improper origin validation related to an internal query parameter designed for Incremental Static Regeneration (ISR). This parameter is accessible on all routes, enabling attackers to manipulate cache behavior. Specifically, an attacker can craft a URL containing this parameter that, when visited by an authenticated user, causes the server to cache personalized responses. Subsequent users accessing the same cached content may receive sensitive data not intended for them, leading to information disclosure. The flaw is categorized under CWE-346 (Origin Validation Error), indicating a failure to properly verify the origin of requests before caching. The vulnerability does not require the attacker to have privileges or authentication, but successful exploitation depends on tricking a victim into clicking a malicious link while authenticated. Although Vercel’s WAF provides some defense by filtering malicious requests, it is not a complete mitigation. The issue was addressed in version 6.3.2 of @sveltejs/adapter-vercel by correcting the origin validation and cache handling logic to prevent poisoning. The CVSS 4.0 base score is 5.3, reflecting a medium severity due to the moderate impact on confidentiality and the requirement for user interaction.

The primary impact of this vulnerability is unauthorized disclosure of sensitive user-specific information due to cache poisoning. Organizations using vulnerable versions of @sveltejs/adapter-vercel risk exposing personal data or session-specific content to other users, potentially violating privacy regulations and damaging user trust. This can lead to data breaches, compliance violations (e.g., GDPR, CCPA), and reputational harm. Since the vulnerability affects web applications built with SvelteKit deployed on Vercel, any service relying on these technologies is at risk. Attackers can exploit this to harvest sensitive data such as authentication tokens, personal details, or proprietary information. The requirement for user interaction limits automated widespread exploitation but targeted phishing or social engineering attacks could be effective. The presence of Vercel’s WAF reduces risk but does not eliminate it, especially for self-hosted or misconfigured deployments. Overall, the vulnerability undermines the integrity of caching mechanisms and confidentiality of user data, posing a moderate threat to organizations worldwide.

To mitigate this vulnerability, organizations should immediately upgrade @sveltejs/adapter-vercel to version 6.3.2 or later, where the origin validation and cache poisoning issues are fixed. Review and audit caching configurations to ensure that user-specific or sensitive responses are not cached globally or shared across users. Implement strict validation of query parameters related to ISR to prevent unauthorized cache manipulation. Employ Content Security Policy (CSP) and other browser security headers to reduce the risk of malicious link exploitation. Educate users about phishing risks to minimize the chance of clicking attacker-controlled links while authenticated. For deployments on Vercel, verify that the WAF is enabled and properly configured to filter suspicious requests. Consider implementing additional application-layer protections such as user session binding to cached content or cache partitioning by user identity. Regularly monitor logs for unusual cache behavior or access patterns indicative of exploitation attempts. Finally, maintain an up-to-date inventory of SvelteKit versions in use and apply security patches promptly.