Skip to main content

Next.js CVE-2026-44575

HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-11 https://github.com/vercel/next.js GHSA-267c-6grr-h53f
7.5
CVSS 3.1 · Vendor: https://github.com/vercel/next.js
Share

Severity by source

Vendor (https://github.com/vercel/next.js) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/vercel/next.js).

CVSS VectorVendor: https://github.com/vercel/next.js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:15 vuln.today
Analysis Generated
May 11, 2026 - 16:15 vuln.today
CVE Published
May 11, 2026 - 15:54 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 25 npm packages depend on next (25 direct, 0 indirect)

Ecosystem-wide dependent count for version 15.2.0.

DescriptionCVE.org

Impact

App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.

Fix

We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.

Workarounds

If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

AnalysisAI

Authentication bypass in Next.js App Router allows unauthenticated remote attackers to access protected content by crafting segment-prefetch URLs that evade middleware authorization checks. Applications using Next.js versions 15.2.0-15.5.15 or 16.0.0-16.2.4 with middleware-based authorization are affected. Attackers can append .rsc or segment-prefetch transport variants to URLs to bypass proxy-based authentication controls and retrieve confidential information without authorization. Vendor-released patches are available in Next.js v15.5.16 and v16.2.5 (confirmed by GitHub advisory GHSA-267c-6grr-h53f). EPSS data not provided; no public exploit code identified at time of analysis, though the vulnerability mechanism is well-documented in the vendor advisory.

Technical ContextAI

Next.js App Router is a server-side routing framework for React applications that uses middleware for request interception and authorization. The vulnerability stems from CWE-288 (Authentication Bypass Using an Alternate Path or Channel), where Next.js segment-prefetch mechanism - designed for performance optimization - creates transport-specific route variants (.rsc extensions and prefetch endpoints) that resolve to the same underlying page content. Prior to the fix, middleware matcher generation did not include these transport variants, causing requests to /protected/page.rsc or segment-prefetch variants to bypass middleware rules configured for /protected/page. This represents a discrepancy between the application's authorization model (middleware path matching) and the framework's internal routing implementation. The affected npm packages (pkg:npm/next versions 15.2.0-15.5.15 and 16.0.0-16.2.4) fail to apply consistent middleware evaluation across all URL representations of the same logical route.

RemediationAI

Upgrade to Next.js version 15.5.16 (for 15.x users) or version 16.2.5 (for 16.x users) immediately. These patched versions include App Router transport variants in middleware matcher generation, ensuring consistent authorization enforcement across all URL representations. Upgrade instructions and release notes available at https://github.com/vercel/next.js/releases/tag/v15.5.16 and https://github.com/vercel/next.js/releases/tag/v16.2.5. If immediate upgrade is not feasible, implement authorization checks directly in route handlers, page components, or Server Components rather than relying solely on middleware path matching. This workaround involves duplicating authorization logic across protected routes, which increases maintenance burden and risk of inconsistent enforcement, but provides defense-in-depth until patching is complete. Review all middleware rules to identify protected paths and ensure corresponding route-level checks are in place. Note that this workaround does not fix the underlying middleware bypass but mitigates unauthorized access by adding a secondary authorization layer.

Vendor StatusVendor

Share

CVE-2026-44575 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy