Skip to main content

CVE-2026-45109

HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-11 https://github.com/vercel/next.js GHSA-26hh-7cqf-hhc6
7.5
CVSS 3.1 · Vendor: https://github.com/vercel/next.js
Share

Severity by source

Vendor (https://github.com/vercel/next.js) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/vercel/next.js).

CVSS VectorVendor: https://github.com/vercel/next.js

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:48 vuln.today
Analysis Generated
May 11, 2026 - 16:48 vuln.today
CVE Published
May 11, 2026 - 16:21 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 25 npm packages depend on next (25 direct, 0 indirect)

Ecosystem-wide dependent count for version 15.2.0.

DescriptionCVE.org

Impact

It was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. Refer to CVE-2026-44575 for further details.

References

AnalysisAI

Middleware bypass in Next.js App Router applications using Turbopack allows remote unauthenticated attackers to access protected content without authorization checks. This vulnerability is an incomplete fix for CVE-2026-44575, where the original patch failed to address middleware.ts files when Turbopack is enabled. Attackers can craft specially formatted segment-prefetch URLs that bypass middleware authorization rules, leading to unauthorized information disclosure. Vendor-released patches are available in Next.js 15.5.18 and 16.2.6. Active exploitation status and POC availability are not confirmed from available data.

Vendor StatusVendor

Share

CVE-2026-45109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy