CVE-2026-33768 is a vulnerability classified under CWE-441 (Unintended Proxy or Intermediary, also known as 'Confused Deputy') and CWE-862 (Missing Authorization). The flaw exists in the Astro web framework's @astrojs/vercel serverless entrypoint prior to version 10.0.2. Specifically, the serverless entrypoint reads the x-astro-path HTTP header and the x_astro_path query parameter to rewrite the internal request path without performing any authentication or authorization checks. This behavior allows an attacker to override the intended request path, effectively bypassing Vercel's platform-level path restrictions when Edge Middleware is not deployed. The rewrite preserves the original HTTP method and request body, meaning that not only GET requests but also POST, PUT, DELETE, and other methods can be redirected to sensitive endpoints. For example, a firewall rule blocking /admin/* paths can be circumvented by sending a request such as POST /api/health?x_astro_path=/admin/delete-user, which will be internally rewritten to the restricted path and processed accordingly. This can lead to unauthorized access and modification of sensitive resources. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting medium severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact but no availability impact. The issue was publicly disclosed on March 24, 2026, and fixed in Astro version 10.0.2. No known exploits have been observed in the wild to date.

The vulnerability allows attackers to bypass platform-level path restrictions on Vercel deployments using Astro versions prior to 10.0.2, potentially gaining unauthorized access to sensitive internal endpoints such as administrative interfaces. Because the rewrite preserves HTTP methods and request bodies, attackers can perform unauthorized state-changing operations (e.g., deleting users, modifying data) by crafting requests that appear to target allowed paths but are internally redirected to restricted ones. This undermines the confidentiality and integrity of affected applications and can lead to privilege escalation or data compromise. Organizations relying on Astro for serverless deployments on Vercel without Edge Middleware are at risk, especially if they use path-based firewall rules for access control. The lack of authentication on the path rewrite mechanism means exploitation is straightforward and requires no credentials or user interaction. While availability is not directly impacted, the unauthorized actions could indirectly disrupt services or cause data loss. The medium severity rating reflects the significant but not catastrophic impact, assuming mitigations like Edge Middleware or updated Astro versions are not in place.

To mitigate this vulnerability, organizations should upgrade all Astro framework instances to version 10.0.2 or later, where the issue is patched. Deployments on Vercel should enable Edge Middleware to enforce path restrictions at the edge, preventing unauthorized path rewrites. Review and strengthen access control mechanisms beyond relying solely on path-based firewall rules, incorporating authentication and authorization checks within application logic. Implement strict validation and sanitization of HTTP headers and query parameters, especially those influencing routing or internal path resolution. Monitor logs for suspicious requests containing x-astro-path headers or x_astro_path query parameters targeting sensitive endpoints. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block requests attempting to exploit this path rewriting behavior. Conduct security testing and code reviews to ensure no other unintended proxies or path overrides exist. Finally, educate development and operations teams about the risks of relying on client-controlled headers for internal routing decisions.