CVE-2026-44574
Published May 13, 2026
Last updated 20 hours ago
AI description
CVE-2026-44574 is a vulnerability affecting Next.js and React Server Components that allows an attacker to bypass middleware defenses. By injecting specially crafted query parameters, an attacker can modify dynamic route values, effectively concealing the true request path from security measures. This manipulation still permits the rendering of protected data on the backend, creating a blind spot within the application's security framework. This flaw requires only low privileges to exploit. The issue was addressed as part of a series of security patches released for React, which included fixes for several other vulnerabilities.
- Description
- Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- next.js
CVSS 3.1
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-288
- Hype score
- Not currently trending
直近のNext.jsのリリースで対応された脆弱性は記事を見るにこのあたりのことかな👀 CVE-2026-44574 CVE-2026-44575 CVE-2026-23870 CVE-2026-44578 CVE-2026-44579 Multiple Critical Vulnerabilities Patched in Next.js and React Server Components https://
@oTheRwoRldy
14 May 2026
260 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ Vulnerabilidades en productos Next.js ❗ CVE-2026-44578 ❗ CVE-2026-44574 ❗ CVE-2026-44573 ➡️ Más info: https://t.co/0U8Att9UKf https://t.co/xSWb6rTBgI
@CERTpy
12 May 2026
86 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 High - Next.js Multiple Vulnerabilities (CVE-2026-44573, CVE-2026-44574, CVE-2026-44575, CVE-2026-44578, CVE-2026-44579, CVE-2026-45109) Multiple issues were identified in Next.js affecting App Router, Pages Router, Server Components, WebSockets, and caching mechanisms. The
@UpwindMDR
11 May 2026
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Next.js v16.2.4 Security PoC Collection CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572 https://t.co/255KwkLd0c via: Pr0xy
@Psycho10k_
11 May 2026
1975 Impressions
8 Retweets
43 Likes
28 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "A54845B2-F643-440A-B0E6-7619A18429FB",
"versionEndExcluding": "15.5.16",
"versionStartIncluding": "15.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A",
"versionEndExcluding": "16.2.5",
"versionStartIncluding": "16.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]