Server-Side Request Forgery Risk in Astro Framework by Astro
CVE-2026-33768

6.5MEDIUM

Key Information:

Vendor

Withastro

Status
Astro
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33768?

The Astro framework contained a vulnerability prior to version 10.0.2 that allowed unauthorized access through the @astrojs/vercel serverless entrypoint. By exploiting the x-astro-path header and x_astro_path query parameter, attackers could bypass Vercel’s platform security measures, creating a serious risk. This flaw enabled all HTTP methods, including POST, PUT, and DELETE, to reach unauthorized internal paths. Consequently, even firewall rules designed to guard sensitive endpoints would be ineffective. The issue has been resolved in version 10.0.2, which emphasizes the importance of keeping dependencies updated to mitigate potential exploits.

Affected Version(s)

astro < 10.0.2

References

https://github.com/withastro/astro/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/withastro/astro/pull/15959
x_refsource_MISC
https://github.com/withastro/astro/commit/335a204161f5a72...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.