Incident Report: March 30th, 2026 — Authenticated User Data Cached
Author: Jacob Cooper Date: Mar 30, 2026
Impact
Between 10:42 and 11:34 UTC on March 30, 2026, a configuration update accidentally enabled caching on approximately 0.05% of Railway domains where CDN was disabled. During this 52-minute window, “cached responses may have been served to users other than the original requester, which meant potentially authenticated data is served to unauthenticated users.”
Incident Timeline
- 10:42 UTC - Engineer deployed a CDN configuration update that unintentionally activated caching for domains with CDN turned off
- 11:14 UTC - Issue identification occurred based on internal monitoring and user reports
- 11:34 UTC - The problematic change was fully reverted and all cached content was purged globally
What Happened
Railway offers opt-in CDN caching for content delivery. A configuration update meant to enable Surrogate Keys “accidentally enabled caching on domains that had it disabled.” While origin cache directives were respected and cookies weren’t cached, most GET responses without explicit headers were cached by default during the incident window.
Preventative Measures
Railway implemented:
- Enhanced testing protocols for caching behaviors before production deployment
- Gradual CDN rollouts spanning hours rather than minutes
The company acknowledged prioritizing safety and security over new feature development going forward.