Security hardening week across the AI SDK and Workers edge
June 8–14, 2026
Vercel's AI SDK received coordinated security patches for SSRF, credential exfiltration, and prototype pollution vulnerabilities across a dozen provider packages, while Cloudflare shipped new WAF rules for Ghost CMS SQL injection and threat intelligence integration.
Security patches sweep the AI SDK
This week's dominant story is a coordinated security release across the Vercel AI SDK. Multiple vulnerabilities were identified and patched in a single day, affecting the core runtime and nearly every provider adapter.
The most critical fix addresses a Server-Side Request Forgery (SSRF) vulnerability in the download URL validation. The validateDownloadUrl function and the downloadBlob/download helpers were found to be bypassable in several ways: a fully-qualified hostname with a trailing dot (e.g., localhost.) skipped the localhost blocklist, IPv6 addresses embedding an IPv4 address in their last 32 bits could bypass detection, and the validateDownloadUrl guard wasn't applied to redirect targets. This was fixed across three major versions: ai@5.0.200, ai@6.0.203, and the canary branch ai@7.0.0-canary.172, the latter of which also removed deprecated experimental generateImage exports.
A second class of vulnerability involved credential exfiltration. Several provider clients would follow a URL returned by the provider's API response (for polling, status, or media URLs) and reuse the authenticated headers — or append ?key=<API_KEY> — on that request. Because the host of the response-supplied URL was never validated, an attacker who controlled that URL could capture the API key. This was patched across the Fireworks and Google providers, with the Google fix also addressing prototype pollution when streaming tool arguments.
The MCP client saw two patches: prototype-named tools like constructor or __proto__ could bypass the schemas allowlist because the check used the in operator instead of Object.hasOwn — fixed in @ai-sdk/mcp@1.0.49 and @ai-sdk/mcp@0.0.19. Both also locked the first SSE endpoint received via event to prevent endpoint switching. The AI Gateway followed with @ai-sdk/gateway@2.0.101 and Gateway v3.0.131 mapping forbidden errors to GatewayForbiddenError instead of GatewayInternalServerError, the latter also surfacing provider warnings in embedding and reranking responses. Finally, AI SDK devtools@0.0.19 secured the devtools viewer API access.
Cloudflare edge security: WAF rules and threat intelligence
On the Cloudflare side, the Application Security team shipped two significant WAF releases. The WAF release of 2026-06-15 introduced new managed protection for a critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) and a generic rule targeting sophisticated SQLi bypass attempts using obfuscated boolean logic — both deployed at the network edge before traffic reaches the origin.
More strategically, Cloudflare now lets you match WAF rules against Cloudforce One threat intelligence. A new detection looks up each request's client IP against the threat intelligence database. If the IP was involved in threat activity in the past seven days, Cloudflare populates cf.intel.ip.* fields that you can use in custom rules and rate limiting rules. This brings real-time threat data directly into the WAF rule engine, a significant upgrade for teams that need to block known bad actors without maintaining their own IP blocklists.
Vercel platform: Blob limits, Workflow in Nitro, and CLI improvements
Vercel raised the Hobby Blob store limit from 5 to 100, giving hobby-tier teams the flexibility to organize data by project, environment, or region without hitting artificial constraints. Storage, operations, and transfer limits still apply, but the 20x increase removes a common friction point for growing applications.
The Vercel Workflow SDK now runs natively in Nitro v3 in beta. Steps run inside the same bundled runtime as the rest of your app, letting you use Nitro's useStorage() and other server-side APIs directly inside "use step" functions. The dev server also serves a workflow web UI at /_workflow for inspecting, monitoring, and debugging runs. Workflow routes are now bundled by Nitro with dependency tracing and tree-shaking, promising faster builds and smaller bundles.
The Vercel CLI saw user-facing improvements: vercel@54.13.0 added a --category filter to vercel integration discover and a new vercel integration categories subcommand, while vercel@54.14.0 introduced ai-gateway rules commands for adding, listing, editing, and removing rules. The @vercel/frameworks@3.29.0 package graduated the Eve framework from experimental and added a Bun preset.
Next.js canary and Turborepo fixes
The Next.js v16.3.0-canary.51 avoids a premature Suspense fallback flash in the streaming dev render, while v16.3.0-canary.49 adds a warning for prefetch={true} navigation when Partial Prefetching is not enabled, and serves stale 'use cache' entries until they expire. Turborepo v2.9.19-canary.5 filters pruned pnpm workspace patches and fixes caching outputs through internal symlinks, while v2.9.19-canary.4 brings PTY support for interactive tasks on Windows.
Releases covered
- AI SDK ai@5.0.200 hardens download URL SSRF guard and redacts server errors
- AI SDK ai@6.0.203 hardens download URL SSRF and redacts server error details
- AI SDK ai@7.0.0-canary.172 hardens download URL SSRF guard and redacts errors
- AI SDK @ai-sdk/fireworks@1.0.41 prevents credential exfiltration
- AI SDK Google provider 3.0.82 prevents prototype pollution and credential exfiltration
- AI SDK @ai-sdk/mcp@1.0.49 prevents prototype-named tools from bypassing allowlist
- AI SDK @ai-sdk/mcp@0.0.19 locks first SSE endpoint and prevents prototype tool bypass
- AI SDK @ai-sdk/gateway@2.0.101 maps forbidden errors to GatewayForbiddenError
- AI SDK Gateway v3.0.131 surfaces provider warnings and maps forbidden errors
- AI SDK devtools@0.0.19 fixes secured API access
- Vercel raises Hobby Blob store limit from 5 to 100
- Vercel Workflow SDK now runs natively in Nitro v3
- Vercel CLI @vercel/frameworks@3.29.0 adds Bun preset and graduates Eve
- Next.js v16.3.0-canary.51 avoids premature Suspense fallback flash
- Next.js v16.3.0-canary.49 warns on prefetch={true} navigation
- Turborepo v2.9.19-canary.5 filters pruned pnpm workspace patches
- Turborepo v2.9.19-canary.4 uses PTY for interactive Windows tasks