Skip to main content

Next.js CVE-2026-44574

HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-11 https://github.com/vercel/next.js GHSA-492v-c6pp-mqqv
8.1
CVSS 3.1 · Vendor: https://github.com/vercel/next.js
Share

Severity by source

Vendor (https://github.com/vercel/next.js) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/vercel/next.js).

CVSS VectorVendor: https://github.com/vercel/next.js

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:15 vuln.today
Analysis Generated
May 11, 2026 - 16:15 vuln.today
CVE Published
May 11, 2026 - 15:54 nvd
HIGH 8.1

DescriptionCVE.org

Impact

Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.

Fix

We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.

Workarounds

If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.

AnalysisAI

Authorization bypass in Next.js 15.4.0-15.5.15 and 16.0.0-16.2.4 allows authenticated attackers to access protected dynamic routes by manipulating query parameters to alter route parameter values seen by the application while keeping the URL path unchanged, bypassing middleware authorization checks. Vendor-released patches available in versions 15.5.16 and 16.2.5. No active exploitation confirmed (not in CISA KEV), but publicly disclosed vulnerability with high CVSS 8.1 (network attack, low complexity, high confidentiality and integrity impact).

Technical ContextAI

Next.js is a React-based web application framework providing server-side rendering and static site generation (pkg:npm/next). This vulnerability (CWE-288: Authentication Bypass Using an Alternate Path or Channel) stems from improper handling of route parameter normalization in the routing layer. Next.js middleware executes before route handlers to perform authorization checks based on path matching against dynamic routes (e.g., /api/users/[id]). The flaw allowed externally supplied query parameter encodings to manipulate the internal route parameter values that reach the page component while the visible path used for middleware matching remained unchanged. This route-parameter injection created a discrepancy between the path the middleware evaluated for authorization and the actual route parameters processed by the application logic, enabling an alternate authentication path that bypassed middleware protections on dynamic routes in both App Router and Pages Router architectures.

RemediationAI

Upgrade Next.js to version 15.5.16 (for 15.x deployments) or 16.2.5 (for 16.x deployments) immediately. Download from npm registry or GitHub releases at https://github.com/vercel/next.js/releases/tag/v15.5.16 and https://github.com/vercel/next.js/releases/tag/v16.2.5. If immediate upgrade is not feasible, implement compensating control by moving authorization logic from middleware into the route handlers or page components themselves, validating user permissions directly in the business logic rather than relying solely on middleware path matching. This workaround trades centralized authorization (cleaner architecture) for defense-in-depth against this specific bypass but may require duplicating authorization checks across multiple routes. Test thoroughly as this shifts authorization execution timing and may affect performance or edge cases. The vendor fix corrects route-parameter normalization to only honor internal encodings in trusted routing flows and reject externally supplied parameter encodings, which requires no configuration changes post-upgrade.

Vendor StatusVendor

Share

CVE-2026-44574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy