GoKawiil🚄 Edits have been added to provide additional clarity as of 00:00 UTC, in addition to an update to the title for accuracy
Railway experienced an incident where CDN features were accidentally enabled for some domains without users enabling them.
For those affected, this may have resulted in potentially authenticated data being served to unauthenticated users.
On March 30, 2026 between 10:42 UTC and 11:34 UTC (52 minutes), a Railway engineer rolled out a change causing HTTP GET responses to be incorrectly cached across ~0.05% of domains on Railway with CDN disabled.
During this window, cached responses may have been served to users other than the original requester, which meant potentially authenticated data is served to unauthenticated users.
This meant that, your application may have served requests for one user to a different user.
As a result, for those applications serving on Railway, your users may have seen pages intended for other users.
We take this very seriously, and detail below what happened, how we’ve addressed it, and how we’re preventing it from happening in the future.
On March 30, 2026:
10:42 UTC - A Railway engineer deployed a configuration update to our CDN provider. This accidentally enabled caching for domains that had CDN turned off.
... continue reading