Lead Story | Critical — Active Breach · Supply Chain | Dev · Cloud+DevOps |
|
Vercel Breached via AI Tool OAuth — Non-Sensitive Environment Variables From Hundreds of Projects Exposed
Context.ai was compromised. A Vercel employee had granted it broad OAuth access to their enterprise workspace. An unknown attacker followed that chain from the AI tool to the employee’s Google account to Vercel’s internal environments — and read environment variables from customer projects that weren’t flagged as Sensitive.
Vercel disclosed a security incident on April 20, 2026, tracing it to a prior compromise of Context.ai — a third-party AI productivity tool used by at least one Vercel employee. That employee had authenticated Context.ai’s AI Office Suite using their enterprise account and granted it broad OAuth permissions. When Context.ai’s infrastructure was later compromised, the attacker used a harvested OAuth token to pivot to the employee’s Google Workspace account, then into Vercel’s internal environments. Environment variables flagged as “Sensitive” in Vercel are stored encrypted and were not accessed. Variables without that flag are stored in plaintext — those were readable during the exposure window. Vercel confirmed the impact spans “hundreds of users across many organizations” and has directly contacted the specific subset of customers confirmed to have had credentials compromised. A BreachForums listing appeared claiming a $2 million ransom and stolen data including GitHub tokens; the group initially named denied involvement to BleepingComputer. Attribution is unconfirmed.
The attack path here did not require a Vercel vulnerability. A developer made a routine decision — connecting an AI productivity tool using their enterprise account — and a default “Allow All” OAuth scope turned that decision into a supply chain entry point. The tool’s breach became the organization’s breach. Canadian teams using Vercel should treat any non-sensitive environment variable from the breach window as potentially exposed and rotate accordingly. If personal data was accessible through those variables, PIPEDA’s breach notification requirements apply: report to the Office of the Privacy Commissioner and notify affected individuals where the breach poses a real risk of significant harm.
→ Key Takeaway Vercel users: Go to Vercel dashboard → Settings → Integrations and audit every OAuth-connected third-party tool. Revoke any integration with broad permissions you cannot justify. Rotate all non-sensitive environment variables in projects that may have been in scope during the breach window. Going forward: mark every variable containing a secret, token, connection string, or credential as Sensitive in Vercel project settings — Sensitive variables are encrypted and cannot be read even in a breach scenario. Canadian organizations: if personal data was accessible via exposed variables, assess PIPEDA notification obligations at priv.gc.ca. HARDENED does not endorse or recommend specific vendors. Tools are listed for awareness only. |
Quick Hits
| 01 |
React2Shell Active Campaign: 766 Confirmed Compromised Next.js Hosts, Cloud Credentials Still Being Exfiltrated
CVE-2025-55182 (React2Shell) is an unauthenticated RCE in React Server Components rated CVSS 10.0, disclosed and patched on December 3, 2025. An automated campaign has since confirmed 766 compromised Next.js hosts, with attackers sweeping environment variables for AWS access keys, SSH private keys, database passwords, and GitHub tokens. Wiz Research estimates 39% of cloud environments still contain vulnerable instances; Google Cloud Threat Intelligence attributes campaign activity to Earth Lamia and Jackpot Panda, both China state-nexus groups. No workaround exists — patched versions are Next.js 15.0.5 through 16.0.7 and React Server Components 19.0.3 through 19.2.3. Teams that stood up projects using AI scaffolding tools in late 2025 or early 2026 should verify their underlying package versions. The Hacker News →
| Critical — CVSS 10.0 · Active Exploitation | Dev · Cloud+DevOps |
|
| 02 |
Cisco Patches CVSS 9.9 ISE Command Injection and CVSS 9.8 Webex SSO Forgery — One Fix Requires a Manual Certificate Update
Cisco patched four critical vulnerabilities in Webex and Identity Services Engine (ISE) on April 15. CVE-2026-20180 (CVSS 9.9) affects ISE: an authenticated attacker with read-only admin credentials can execute arbitrary OS commands and escalate to root — effective control over an organization’s entire network access policy. CVE-2026-20184 (CVSS 9.8) affects Webex SSO: improper certificate validation lets an unauthenticated attacker forge tokens and impersonate any user. Cisco patched the backend for CVE-2026-20184, but administrators using SSO must manually upload a new IdP SAML certificate to Control Hub for the fix to take effect. No exploitation confirmed in the wild for either CVE. The Hacker News →
| High — CVSS 9.9 (ISE) / 9.8 (Webex) | Enterprise · IT Ops |
|
CVE Watch
|
CVE Watch
CVE-2026-33032 (MCPwn): nginx-ui’s MCP Integration Ships Without Authentication on One Endpoint — Full Nginx Takeover in Two HTTP Requests
All 12 of nginx-ui’s MCP tools sit behind an authentication gate — except on the /mcp_message endpoint, where the gate was never wired up. Any network-adjacent attacker reaches that endpoint without credentials, invokes the full MCP tool set, rewrites Nginx configuration, and triggers an automated reload. The vulnerability was patched in nginx-ui v2.3.4 on March 15, 2026; active exploitation was documented by Recorded Future in March 2026, and VulnCheck added it to the KEV list on April 13. Shodan identifies 2,689 publicly exposed instances. Patch: upgrade to v2.3.4 immediately. If patching is not immediately possible, disable MCP functionality and restrict network access to the nginx-ui management interface.
| Vendor: nginx-ui (open source) · CVE: CVE-2026-33032 · CVSS: 9.8 Critical · Affected: v2.3.3 and earlier (MCP enabled) · Fix: v2.3.4 · Exploitation: Confirmed in wild (March 2026; VulnCheck KEV Apr 13) |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — PR.AA — Protect: Authentication & Access Control
Your Team Authorized an AI Tool Last Monday. Do You Know What It Can Still Touch?
PR.AA-05 under NIST CSF 2.0 requires that access permissions, entitlements, and authorizations are managed incorporating least-privilege and separation of duties throughout. OAuth grants issued to third-party AI tools routinely fail this standard: employees accept default “Allow All” scopes because the approval flow asks them to, and no periodic review removes that access after the need expires. The Vercel breach demonstrates the consequence — a single overpermissioned OAuth grant to an AI tool became the initial foothold for a supply chain pivot into production environments. Concrete action (PR.AA-05): Audit OAuth grant scopes for every AI tool integrated into your team’s workspace. Vercel, GitHub, Google Workspace, and Microsoft 365 all expose OAuth grant inventories in their admin consoles. Identify any integration holding read/write access it does not demonstrably need, downscope or revoke it, and schedule a quarterly access review. NIST CSF 2.0 reference: nist.gov/cyberframework.
|
On Our Radar
CPCSC Level 1 — Defence Contracts, Summer 2026 (Canada): The Government of Canada launched Level 1 of the Canadian Program for Cyber Security Certification (CPCSC) on April 14, 2026. Starting summer 2026, select defence contracts will require suppliers to hold Level 1 certification — an annual self-assessment against 13 security controls, with certification required at contract award. An online self-assessment tool is available at canada.ca. Defence suppliers who have not started the process should begin now. Levels 2 and 3 — which will require external audits (third-party and National Defence-led, respectively) and have not yet been fully implemented — are expected to follow in subsequent years.
UnDefend (Third Windows Defender LPE — No CVE, No Patch): A third LPE from the Chaotic Eclipse researcher series, UnDefend was confirmed exploited in the wild alongside RedSun on April 16 (Huntress). Microsoft has not issued a CVE, mitigation advisory, or patch for either RedSun or UnDefend as of April 20, 2026. Huntress has published detection guidance.
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Sources: TechCrunch (Vercel breach, April 20, 2026), techcrunch.com/2026/04/20/app-host-vercel-confirms-security-incident-says-customer-data-was-stolen-via-breach-at-context-ai/ · Vercel Security Bulletin (April 2026), vercel.com/kb/bulletin/vercel-april-2026-security-incident · BleepingComputer (Vercel / attribution denial), bleepingcomputer.com/news/security/vercel-confirms-breach-as-hackers-claim-to-be-selling-stolen-data/ · The Hacker News (Vercel / Context.ai), thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html · The Hacker News (React2Shell active campaign), thehackernews.com/2026/04/hackers-exploit-cve-2025-55182-to.html · Wiz Research (CVE-2025-55182), wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182 · Google Cloud Threat Intelligence (Earth Lamia / Jackpot Panda), cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182 · The Hacker News (CVE-2026-33032 nginx-ui), thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html · Rapid7 ETR (CVE-2026-33032), rapid7.com/blog/post/etr-cve-2026-33032-nginx-ui-missing-mcp-authentication/ · The Hacker News (Cisco Webex / ISE), thehackernews.com/2026/04/cisco-patches-four-critical-identity.html · Government of Canada PSPC (CPCSC Level 1), canada.ca/en/public-services-procurement/news/2026/04/government-of-canada-introduces-level-1-of-canadian-program-for-cyber-security-certification.html · NIST CSF 2.0, nist.gov/cyberframework · OPC PIPEDA, priv.gc.ca |
|
