CVE-2026-33768

Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.2

Description Astro, a web framework, contains a flaw in the @astrojs/vercel serverless entrypoint. Versions prior to 10.0.2 do not authenticate requests using the x-astro-path header or x astro path query parameter, allowing attackers to bypass Vercel's path restrictions. This bypass affects all HTTP methods, including POST, PUT, and DELETE, as the original method and body are preserved. An example of exploitation involves bypassing firewall rules by sending a request to /api/health with the x astro path parameter set to a restricted path, such as /admin/delete-user.

Recommendations Update to Astro version 10.0.2 or later.