Next.js CVE-2026-44574
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (https://github.com/vercel/next.js).
CVSS VectorVendor: https://github.com/vercel/next.js
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Impact
Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.
Fix
We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.
Workarounds
If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.
AnalysisAI
Authorization bypass in Next.js 15.4.0-15.5.15 and 16.0.0-16.2.4 allows authenticated attackers to access protected dynamic routes by manipulating query parameters to alter route parameter values seen by the application while keeping the URL path unchanged, bypassing middleware authorization checks. Vendor-released patches available in versions 15.5.16 and 16.2.5. No active exploitation confirmed (not in CISA KEV), but publicly disclosed vulnerability with high CVSS 8.1 (network attack, low complexity, high confidentiality and integrity impact).
Technical ContextAI
Next.js is a React-based web application framework providing server-side rendering and static site generation (pkg:npm/next). This vulnerability (CWE-288: Authentication Bypass Using an Alternate Path or Channel) stems from improper handling of route parameter normalization in the routing layer. Next.js middleware executes before route handlers to perform authorization checks based on path matching against dynamic routes (e.g., /api/users/[id]). The flaw allowed externally supplied query parameter encodings to manipulate the internal route parameter values that reach the page component while the visible path used for middleware matching remained unchanged. This route-parameter injection created a discrepancy between the path the middleware evaluated for authorization and the actual route parameters processed by the application logic, enabling an alternate authentication path that bypassed middleware protections on dynamic routes in both App Router and Pages Router architectures.
RemediationAI
Upgrade Next.js to version 15.5.16 (for 15.x deployments) or 16.2.5 (for 16.x deployments) immediately. Download from npm registry or GitHub releases at https://github.com/vercel/next.js/releases/tag/v15.5.16 and https://github.com/vercel/next.js/releases/tag/v16.2.5. If immediate upgrade is not feasible, implement compensating control by moving authorization logic from middleware into the route handlers or page components themselves, validating user permissions directly in the business logic rather than relying solely on middleware path matching. This workaround trades centralized authorization (cleaner architecture) for defense-in-depth against this specific bypass but may require duplicating authorization checks across multiple routes. Test thoroughly as this shifts authorization execution timing and may affect performance or edge cases. The vendor fix corrects route-parameter normalization to only honor internal encodings in trusted routing flows and reject externally supplied parameter encodings, which requires no configuration changes post-upgrade.
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-492v-c6pp-mqqv