Cyber Resilience

CVE-2026-33768

MediumPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0033 24.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33768 is a medium-severity Confused Deputy (CWE-441) vulnerability in Astro \@Astrojs\/Vercel. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33768 is a vulnerability in the Astro web framework, specifically the @astrojs/vercel serverless entrypoint prior to version 10.0.2. The flaw stems from the entrypoint reading the x-astro-path header or x_astro_path query parameter to rewrite the internal request path without any authentication. On deployments without Edge Middleware, this allows complete bypass of Vercel's platform-level path restrictions. The issue is rated 6.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and maps to CWE-441 (Unintended Proxy or Intermediary) and CWE-862 (Missing Authorization).

Any network-accessible attacker can exploit this vulnerability without privileges or user interaction. By sending requests to permitted paths with the overriding header or query parameter, they can direct the request to restricted paths while preserving the original HTTP method and body. For instance, a POST to /api/health?x_astro_path=/admin/delete-user executes as a POST to /admin/delete-user, evading firewall rules that block /admin/* paths. This supports arbitrary methods including GET, POST, PUT, and DELETE.

The vulnerability has been patched in @astrojs/vercel version 10.0.2. Mitigation involves updating to this version or later. Details are provided in the Astro security advisory (GHSA-mr6q-rp88-fx84), pull request #15959, commit 335a204161f5a7293c128db570901d4f8639c6ed, and release notes for @astrojs/vercel@10.0.2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass…

more

Vercel's platform-level path restrictions entirely. The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking /admin/* does nothing when the request comes in as POST /api/health?x_astro_path=/admin/delete-user. This issue has been patched in version 10.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated network attackers to bypass platform-level path restrictions in a public-facing Astro web application deployed on Vercel by rewriting request paths via headers or query parameters, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25545Same vendor: Astro
CVE-2026-27829Same vendor: Astro
CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862

Affected Assets

astro
\@astrojs\/vercel
≤ 10.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the specific flaw in @astrojs/vercel by applying the patch in version 10.0.2 that prevents unauthenticated path rewriting via x-astro-path header or query parameter.

prevent

Validates untrusted inputs like the x-astro-path header and x_astro_path query parameter at externally-facing interfaces to block arbitrary path overrides before internal rewriting.

prevent

Enforces approved authorizations on the rewritten internal request path, ensuring restricted paths like /admin/* remain protected despite external path manipulation.

References