CVE-2026-45109
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (https://github.com/vercel/next.js).
CVSS VectorVendor: https://github.com/vercel/next.js
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 25 npm packages depend on next (25 direct, 0 indirect)
Ecosystem-wide dependent count for version 15.2.0.
DescriptionCVE.org
Impact
It was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. Refer to CVE-2026-44575 for further details.
References
AnalysisAI
Middleware bypass in Next.js App Router applications using Turbopack allows remote unauthenticated attackers to access protected content without authorization checks. This vulnerability is an incomplete fix for CVE-2026-44575, where the original patch failed to address middleware.ts files when Turbopack is enabled. Attackers can craft specially formatted segment-prefetch URLs that bypass middleware authorization rules, leading to unauthorized information disclosure. Vendor-released patches are available in Next.js 15.5.18 and 16.2.6. Active exploitation status and POC availability are not confirmed from available data.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-26hh-7cqf-hhc6