Incident Report: March 30th, 2026 — Authenticated User Data Cached

Incident Report: March 30th, 2026 — Authenticated User Data Cached

Author: Jacob Cooper Date: Mar 30, 2026

Impact

Between 10:42 and 11:34 UTC on March 30, 2026, a configuration update accidentally enabled caching on approximately 0.05% of Railway domains where CDN was disabled. During this 52-minute window, “cached responses may have been served to users other than the original requester, which meant potentially authenticated data is served to unauthenticated users.”

Incident Timeline

  • 10:42 UTC - Engineer deployed a CDN configuration update that unintentionally activated caching for domains with CDN turned off
  • 11:14 UTC - Issue identification occurred based on internal monitoring and user reports
  • 11:34 UTC - The problematic change was fully reverted and all cached content was purged globally

What Happened

Railway offers opt-in CDN caching for content delivery. A configuration update meant to enable Surrogate Keys “accidentally enabled caching on domains that had it disabled.” While origin cache directives were respected and cookies weren’t cached, most GET responses without explicit headers were cached by default during the incident window.

Preventative Measures

Railway implemented:

  • Enhanced testing protocols for caching behaviors before production deployment
  • Gradual CDN rollouts spanning hours rather than minutes

The company acknowledged prioritizing safety and security over new feature development going forward.