Automatic Security Blocking

Vercel has implemented automatic protection against deployments containing vulnerable versions of the third-party package next-mdx-remote that are susceptible to CVE-2026-0969. Any new deployment attempt containing an affected version will now automatically fail.

What Developers Should Know

• Immediate impact: New deployments with vulnerable next-mdx-remote versions are blocked by default
• Recommended action: Upgrade to a patched version of next-mdx-remote regardless of your hosting provider
• Override option: The blocking can be disabled by setting the environment variable DANGEROUSLY_DEPLOY_VULNERABLE_CVE_2026_0969=1 on your Vercel project (not recommended for production)

Next Steps

Review your project's dependencies to identify if you're using vulnerable versions of next-mdx-remote. If your deployments are being blocked, update to the latest patched version and redeploy. For configuration details on disabling this protection (if necessary), see Vercel's environment variables documentation.