Gcore - Global CDN and API Incident Details – Incident details

Public RCA about the Incident:

Date: May 13, 2026 | Duration: 19:08 – 20:14 UTC (1 hour 6 minutes)

Summary

On May 13, 2026, from 19:08 to 20:14 UTC, part of Gcore's CDN service experienced a global disruption. CDN edges worldwide failed to process requests and returned HTTP 502 errors for a subset of client resources. The disruption affected gcore.com, the Customer Portal, public API endpoints, and CDN delivery on part of the infrastructure. 

Impact

• gcore.com and portal.gcore.com were unreachable.

• api.gcore.com returned 502 errors, affecting API-based operations across CDN, Cloud, DNS, Streaming, Storage, WAAP, and IAM services.

• SSO/SAML-based authentication to the portal was disrupted during and briefly after the window.

• Customers with CDN resources served through the affected infrastructure saw 502 errors for their end-user traffic.

Root Cause

This was a stacked-defect incident — three independent gaps in the CDN configuration pipeline combined to turn a single configuration change into a global edge failure. Any one of the three defects, had it been absent, would have prevented the outage.

1. API input validation gap: An internal origin routing field, originally intended as an admin-only configuration knob, lost its access restriction in a 2023 API rewrite and was later published in the public API documentation (March 2026) without specifying its allowed values. This allowed a non-standard value to be submitted and accepted via the API.

2. Configuration generation logic error: When the CDN configuration pipeline processed the resource with the non-standard value, a bug in the rule-level config generation silently dropped all origin servers — producing a configuration with an empty upstream list. 

3. Edge initialization crash: When a CDN edge node received a configuration with an empty upstream list, an edge-side script crashed during the initialization phase. Because the configuration file is global (shared across all resources on a node), this single malformed entry caused the entire node to fail initialization — returning HTTP 502 for all traffic, not just the affected resource. This crash propagated across all edge nodes on the affected infrastructure.

Timeline (UTC)

Resolution

Service was restored at 20:14 UTC by disabling the resource containing the malformed configuration. Engineers had been mitigating the impact since 19:42 UTC by routing critical control-plane services (API, portal) through alternative edge infrastructure.

Corrective Actions

We sincerely apologize for the disruption this caused. We are committed to completing the remaining fixes and implementing additional safeguards to prevent a similar configuration pipeline failure from causing a global impact in the future.

We are happy to inform you that the Major outage with our website, Global CDN Delivery, API access for all services and Customer Portal has been resolved. However, if you continue to experience any issues, please do not hesitate to contact our support team. Our team will be happy to assist you and ensure that any further concerns are addressed promptly.

We will also provide a detailed Root Cause Analysis (RCA) once it becomes available.

We appreciate your patience and understanding throughout this incident, and we thank you for your cooperation.

For further assistance, please contact our support team via support@gcore.com

The issue has been resolved, and all services have fully recovered. We are continuing to monitor the situation to ensure stability. We apologise for the inconvenience.

We are recovering, and all services are up and running. CDN service has mostly recovered; however, it may still be partially unavailable for some users. We are continuing to monitor the situation and working on the fix.

Website and Customer Portal are up again. We are continuing to fix other services.

The API access has been recovered, and we are continuing to fix other services. We will keep you updated.