Railway configuration error leads to accidental data exposure for users

A configuration update at Railway on March 30, 2026, caused authenticated application data to be incorrectly cached and served to unauthorized users for a 52-minute period.

Key points

• The incident occurred between 10:42 UTC and 11:34 UTC on March 30, 2026, affecting approximately 0.05% of domains.
• A deployment error accidentally enabled CDN caching for domains where the feature was explicitly disabled by users.
• Cached HTTP GET responses were served to unintended users, potentially exposing private or authenticated information.
• Railway fully reverted the configuration change and purged all global edge caches by 11:34 UTC.
• The company is implementing additional pre-production testing and slower, phased rollout procedures to prevent future configuration errors.

This incident highlights the significant security risks associated with automated infrastructure updates and the potential for data privacy breaches in cloud hosting environments. Railway is now prioritizing safety and security protocols over new feature development to restore user trust and prevent similar unauthorized data exposure.