2 months ago
Hello Railway Team,
I’m reaching out regarding the recent CDN incident you reported, where cached GET responses were incorrectly served across different users.
Unfortunately, my platform was among the affected (~0.05%), and I was alerted by multiple users experiencing highly concerning behavior — specifically, being logged into other users’ accounts or seeing data that did not belong to them.
At the time, this appeared to be a critical flaw in my own system, and I spent several hours investigating what I believed to be a severe backend or authentication issue. Only later did your notification clarify that the root cause was on the CDN layer.
While I understand that incidents can happen, this particular issue represents a serious breach of user isolation and trust. The fact that user-specific responses were served to other users introduces significant security implications, regardless of the scale or duration.
Even though the overall impact on my platform was limited, this situation caused:
- Loss of time and resources spent investigating a non-existent internal issue
- Reputational risk and user confusion due to account/session inconsistencies
- Exposure of user-specific data
Given the severity and nature of this incident, I would like to request appropriate compensation, such as service credits or other forms of account adjustment.
I value Railway as a platform and appreciate your transparency in reporting the issue. However, incidents involving cross-user data exposure are critical by nature, and I believe a gesture of compensation would be appropriate in this case.
Thank you for your time, and I look forward to your response.
Best regards,
Strahinja Popovic from Balkanflix.
2 Replies
Status changed to Awaiting Railway Response Railway • about 2 months ago
2 months ago
Given that this incident involved cross-user data exposure and user session mixups, I would still expect some form of compensation or goodwill credit, even if the impact was limited.
This type of issue directly affects user trust and platform integrity.Incidents like this would typically be treated as security-related in most platforms.
2 months ago
Hi Strahinja,
Sorry for the delay in responding. We have been conducting a thorough investigation into this incident, coordinating with our upstream CDN vendor, and working with counsel to ensure we communicate accurately to affected customers.
I understand you spent significant time investigating what appeared to be an internal issue before our notification clarified the root cause. That's time and effort you shouldn't have had to spend, and I'm sorry for that.
To confirm what happened: during the 52-minute incident window, only GET responses were cached. POST requests were not cached. Our upstream CDN vendor has confirmed that their platform deviated from RFC 9111 in how it handled responses containing Authorization headers, and that this behavior deviated from their own public-facing documentation. They are preparing a formal Service Advisory. The full incident report is available at Incident Report: March 30th, 2026 - Accidental CDN Caching.
If you need traffic data for your domain from the incident window to support any assessment on your end, let us know.
Best,
Angelo
Status changed to Awaiting User Response Railway • about 2 months ago
a month ago
This thread has been marked as solved automatically due to a lack of recent activity. Please re-open this thread or create a new one if you require further assistance. Thank you!
Status changed to Solved Railway • about 1 month ago