URGENT - Railway caching all HTTP responses including authenticated API calls, leaking user data between sessions Since today all our Railway-hosted services are aggressively caching every HTTP response. This includes authenticated API responses with Authorization Bearer headers. When a user logs in, they receive cached responses from OTHER users' previous sessions. This is a critical security incident with user data leaking between sessions. Evidence: * Our backend logs show almost no GET requests arriving, only OPTIONS preflights. A caching layer is intercepting GETs before they reach our app. * Accessing Railway URLs directly (bypassing our CDN) still returns cached/stale data, confirming it's Railway-side. * Logging in returns another user's session data from cache. * No code changes were deployed today. The issue started on its own. * We tested multiple different Railway service URLs and all have the same caching behavior. Setup: Express.js backend with JWT auth + React SPA, both on Railway. We've added Cache-Control no-store headers but the caching seems to happen before requests reach our application. Is anyone else experiencing this? We need this resolved immediately as authenticated responses are being served to the wrong users.

Railway caching all HTTP responses including authenticated API

PROOP

2 months ago

URGENT - Railway caching all HTTP responses including authenticated API calls, leaking user data between sessions

Since today all our Railway-hosted services are aggressively caching every HTTP response. This includes authenticated API responses with Authorization Bearer headers. When a user logs in, they receive cached responses from OTHER users' previous sessions. This is a critical security incident with user data leaking between sessions.

Evidence:

Our backend logs show almost no GET requests arriving, only OPTIONS preflights. A caching layer is intercepting GETs before they reach our app.
Accessing Railway URLs directly (bypassing our CDN) still returns cached/stale data, confirming it's Railway-side.
Logging in returns another user's session data from cache.
No code changes were deployed today. The issue started on its own.
We tested multiple different Railway service URLs and all have the same caching behavior.

Setup: Express.js backend with JWT auth + React SPA, both on Railway. We've added Cache-Control no-store headers but the caching seems to happen before requests reach our application.

Is anyone else experiencing this? We need this resolved immediately as authenticated responses are being served to the wrong users.

6 Replies

mishaelajay

PRO

2 months ago

This happened to us as well. We had to disable caching.

mishaelajay

This happened to us as well. We had to disable caching.

PROOP

2 months ago

That didn't worked for us, we had to stop all the services. Apparently Railway deployed a fix and it's now working properly.

chavsi

HOBBY

2 months ago

This is a cross-user data leak, That's a security breach, not an operational oops.

The status page currently says "Operational" while users are reporting session data leaking between accounts

Railway needs to:

1. Reclassify this as a critical security incident, not a resolved operational issue.

2. Notify all affected users directly — depending on jurisdiction (GDPR, etc.)

3. Publish a full post-mortem detailing exactly what was cached.

4. Tell how many authenticated responses were served to wrong users, and what data was exposed.

The incident was marked as retroactively resolved at 11:30 UTC, yet at 12:27 UTC they acknowledged that content without Cache-Control headers was also cached — meaning even their own initial assessment of the impact was wrong.

ramadanomar

PRO

2 months ago

We've also faced the same issue

chavsi

Their status page claims only "images, videos and other known-static assets" and "content with public Cache-Control headers" were cached, and that "no HTML would've been cached." But what you're describing — authenticated API responses with Bearer tokens being served to other users — directly contradicts that. JSON responses from authenticated endpoints are not static assets. This is a cross-user data leak, That's a security breach, not an operational oops. The status page currently says "Operational" while users are reporting session data leaking between accounts Railway needs to: 1\. Reclassify this as a critical security incident, not a resolved operational issue. 2\. Notify all affected users directly — depending on jurisdiction (GDPR, etc.) 3\. Publish a full post-mortem detailing exactly what was cached. 4\. Tell how many authenticated responses were served to wrong users, and what data was exposed. The incident was marked as retroactively resolved at 11:30 UTC, yet at 12:27 UTC they acknowledged that content without Cache-Control headers was also cached — meaning even their own initial assessment of the impact was wrong.

mishaelajay

PRO

2 months ago

Exactly. I am also surprised. HTML requests were redirected too. Basically a cached response was sent to everyone.

whiteclinicdevjihoon

PRO

2 months ago

In my case, I had to manually shut down my service. That is one hour of lost business, lost trust from my users, and lost confidence in Railway as a platform.

I chose Railway because I trusted it with my production infrastructure. Right now, that trust is hanging by a thread :\

Welcome!