On April 19, Vercel disclosed a security incident in which unauthorized access to internal Vercel systems may have exposed environment variables that were not marked as "sensitive" for a subset of customers.
Out of an abundance of caution, Trunk has rotated every API key, token, and credential that was stored as a Vercel environment variable, regardless of whether it was flagged sensitive. We have also reviewed activity logs across our Vercel environments and found no evidence of unauthorized access or suspicious deployments.
No customer action is required, and we will share further updates if the scope of the incident changes.
General
Vercel April 2026 Security Incident
Matt MathesonApril 20, 20261 min read
