Post-Mortem: Phala Cloud API Authorization Vulnerability (June 1, 2026)

Status: Resolved & patched · Severity: P0 · Window: May 31 – June 1, 2026 (UTC) · This is a detailed follow-up to our June 1 security notice.

On June 1, 2026, an attacker used a bug in a Phala Cloud API endpoint to change CVMs they didn't own. We've fixed the bug, undone every unauthorized change, banned the accounts in...