CVE-2026-44573

Published May 13, 2026

Last updated a month ago

CVSS high 7.5
Next.js

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-44573 is identified as a Pages Router i18n Middleware Bypass vulnerability affecting applications built with Next.js. This flaw specifically impacts applications that utilize the Pages Router with internationalization (i18n) configured in conjunction with middleware-based authorization. The vulnerability allows locale-less requests to `/next/data/<buildId>/<page>.json` to completely bypass the middleware. This bypass enables attackers to retrieve server-side rendered JSON data for pages that should otherwise be protected by authorization checks. To address this, the matcher logic has been updated to ensure consistent matching for both prefixed and unprefixed data routes.

Description
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-863

Social media

Hype score
Not currently trending

  1. ⚠️ Vulnerabilidades en productos Next.js ❗ CVE-2026-44578 ❗ CVE-2026-44574 ❗ CVE-2026-44573 ➡️ Más info: https://t.co/0U8Att9UKf https://t.co/xSWb6rTBgI

    @CERTpy

    12 May 2026

    86 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 High - Next.js Multiple Vulnerabilities (CVE-2026-44573, CVE-2026-44574, CVE-2026-44575, CVE-2026-44578, CVE-2026-44579, CVE-2026-45109) Multiple issues were identified in Next.js affecting App Router, Pages Router, Server Components, WebSockets, and caching mechanisms. The

    @UpwindMDR

    11 May 2026

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Next.js v16.2.4 Security PoC Collection CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572 https://t.co/255KwkLd0c via: Pr0xy

    @Psycho10k_

    11 May 2026

    1975 Impressions

    8 Retweets

    43 Likes

    28 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.CVE-2026-45109
  2. Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44582
  3. Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44579
  4. Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44581
  5. Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44580

References

Sources include official advisories and independent security research.