Our response to the Vercel April 2026 security incident
A breakdown of the incident, the steps we took, and what it means for you.
Outstack Engineering
Security & Platform Team
What happened
In April 2026, Vercel publicly disclosed a security incident affecting a subset of projects on their platform. Full details are in the official Vercel bulletin.
We host some of our marketing and edge workloads on Vercel. Once the disclosure came through, we treated it as if our environment was in scope and worked through our incident process.
Are my systems affected?
No. Our customer-facing services stayed online throughout. We have not seen any unusual activity, unexpected logins, or strange data access on any account.
What we did
- Rotated every environment variable our Vercel projects use, including third-party API keys and service tokens.
- Revoked and reissued the signing secrets used for webhooks and JWT verification.
- Redeployed all affected projects so nothing running still references the old credentials.
- Checked audit logs across our identity provider, Supabase, Square, Resend and Twilio for that period. Nothing unusual.
- Confirmed our main database (Supabase Postgres and Storage) is not on Vercel and was never in scope.
Scope of our Vercel footprint
| Surface | Hosted on Vercel | In scope | Status |
|---|---|---|---|
| Marketing site | Yes | Precautionary | Credentials rotated |
| Customer dashboard | No | No | Unaffected |
| Ticketing and POS backend | No | No | Unaffected |
| Supabase Postgres | No | No | Unaffected |
| Square integration | No | No | Tokens rotated as precaution |
Do I need to do anything?
Nothing from your side. No need to reset your password or regenerate API keys. We rotated everything server-side and your account credentials were never exposed.
Questions or concerns
Reach out at security@outstack.dev any time. We will keep this updated as Vercel releases more detail.
Reference: Vercel security bulletin, April 2026