CVE-2026-33768
Published: 24 March 2026
Summary
CVE-2026-33768 is a medium-severity Confused Deputy (CWE-441) vulnerability in Astro \@Astrojs\/Vercel. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific flaw in @astrojs/vercel by applying the patch in version 10.0.2 that prevents unauthenticated path rewriting via x-astro-path header or query parameter.
Validates untrusted inputs like the x-astro-path header and x_astro_path query parameter at externally-facing interfaces to block arbitrary path overrides before internal rewriting.
Enforces approved authorizations on the rewritten internal request path, ensuring restricted paths like /admin/* remain protected despite external path manipulation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated network attackers to bypass platform-level path restrictions in a public-facing Astro web application deployed on Vercel by rewriting request paths via headers or query parameters, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass…
more
Vercel's platform-level path restrictions entirely. The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking /admin/* does nothing when the request comes in as POST /api/health?x_astro_path=/admin/delete-user. This issue has been patched in version 10.0.2.
Deeper analysisAI
CVE-2026-33768 is a vulnerability in the Astro web framework, specifically the @astrojs/vercel serverless entrypoint prior to version 10.0.2. The flaw stems from the entrypoint reading the x-astro-path header or x_astro_path query parameter to rewrite the internal request path without any authentication. On deployments without Edge Middleware, this allows complete bypass of Vercel's platform-level path restrictions. The issue is rated 6.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and maps to CWE-441 (Unintended Proxy or Intermediary) and CWE-862 (Missing Authorization).
Any network-accessible attacker can exploit this vulnerability without privileges or user interaction. By sending requests to permitted paths with the overriding header or query parameter, they can direct the request to restricted paths while preserving the original HTTP method and body. For instance, a POST to /api/health?x_astro_path=/admin/delete-user executes as a POST to /admin/delete-user, evading firewall rules that block /admin/* paths. This supports arbitrary methods including GET, POST, PUT, and DELETE.
The vulnerability has been patched in @astrojs/vercel version 10.0.2. Mitigation involves updating to this version or later. Details are provided in the Astro security advisory (GHSA-mr6q-rp88-fx84), pull request #15959, commit 335a204161f5a7293c128db570901d4f8639c6ed, and release notes for @astrojs/vercel@10.0.2.
Details
- CWE(s)