What is the CVSS score of CVE-2026-44573?

CVE-2026-44573 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Next.js are affected by CVE-2026-44573?

Next.js applications using Pages Router with i18n configuration are vulnerable to unauthorized data exposure through a middleware bypass affecting versions 12.2.0-15.5.15 and 16.0.0-16.2.4.. A patch is available.

Is there a public PoC exploit available for CVE-2026-44573?

Yes, a public proof-of-concept exploit is available for CVE-2026-44573. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-44573?

Within 24 hours: Inventory all production Next.js applications and identify those running Pages Router with i18n enabled on versions 12.2.0-15.5.15 or 16.0.0-16.2.4; document business-critical applications and data sensitivity. Within 7 days: Apply Vercel patches (upgrade to Next.js 15.5.16 or 16.2.5); validate middleware authorization functions are active post-upgrade through security testing. Within 30 days: Conduct forensic log review for unauthorized /_next/data/ requests in application access logs; perform penetration testing to confirm middleware enforcement; document remediation timeline and results.

Next.js CVE-2026-44573

HIGH

Incorrect Authorization (CWE-863)

2026-05-11 https://github.com/vercel/next.js

GHSA-36qx-fr4f-26g5

Authentication Bypass Red Hat

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Red Hat

7.5 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 11, 2026 - 16:15 vuln.today

Analysis Generated

May 11, 2026 - 16:15 vuln.today

CVE Published

May 11, 2026 - 15:53 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

19 npm packages depend on next (17 direct, 2 indirect)

Ecosystem-wide dependent count for version 12.2.0.

DescriptionGitHub Advisory

Impact

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

Fix

The matcher logic was updated to perform the same match as it would on a non-i18n data route.

Workarounds

If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.

AnalysisAI

Middleware bypass in Next.js Pages Router applications allows unauthenticated access to protected server-side rendered JSON data when i18n is configured. Attackers can retrieve SSR page data through locale-less /_next/data/<buildId>/<page>.json requests without triggering middleware authorization checks. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify Next.js Pages Router app with i18n

Delivery

Discover build ID from page source

Exploit

Craft locale-less data route request

Execution

Bypass middleware authorization

Persist

Retrieve protected SSR JSON

Impact

Exfiltrate sensitive data

Access

Identify Next.js Pages Router app with i18n

Delivery

Discover build ID from page source

Exploit

Craft locale-less data route request

Execution

Bypass middleware authorization

Persist

Retrieve protected SSR JSON

Impact

Exfiltrate sensitive data

Vulnerability AssessmentAI

Exploitation	Applications must use Next.js Pages Router (not App Router) with i18n internationalization configured in next.config.js and rely on middleware (middleware.js/ts) or upstream proxy for authorization instead of page-level data fetching guards. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 indicates high severity with critical exploitability factors: network vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a Next.js application with user dashboards protected by middleware authentication checks and i18n configured for multiple locales. The attacker bypasses authentication by directly requesting `/_next/data/BUILD_ID/dashboard.json` instead of navigating through the normal `/en/dashboard` route. …
Remediation	Upgrade to Next.js version 15.5.16 or 16.2.5 immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production Next.js applications and identify those running Pages Router with i18n enabled on versions 12.2.0-15.5.15 or 16.0.0-16.2.4; document business-critical applications and data sensitivity. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-44573 vulnerability details – vuln.today

Back

Next.js CVE-2026-44573

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

Impact

Fix

Workarounds

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

Share

External POC / Exploit Code