Incident Report: March 30th, 2026 — Authenticated user data cached

Railway experienced an incident on March 30, 2026, where CDN features were unintentionally enabled for some domains, resulting in potentially authenticated data being served to unauthorized users. The issue occurred due to a configuration update that mistakenly enabled caching for domains with CDN disabled, affecting approximately 0.05% of domains. The incident lasted 52 minutes, during which cached responses might have been served to users other than the original requester, potentially exposing user-specific content. Railway identified and resolved the issue by reverting the changes and purging all cached assets. The company has implemented additional preventative measures, including enhanced testing and slower rollouts of CDN changes, to mitigate such risks in the future and has prioritized safety and security over new feature development to rebuild customer trust.