CVE-2026-44573
published 2026-05-13CVE-2026-44573: Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n…
PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.46%
36.4th percentile
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| next | next | — | — |
| next | next | >= 12.2.0 < 15.5.16 | 15.5.16 |
| next | next | >= 16.0.0 < 16.2.5 | 16.2.5 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 12.2.0 < 15.5.16 | 15.5.16 |
| vercel | next.js | >= 16.0.0 < 16.2.5 | 16.2.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vercel next.js up to 15.5.15/16.2.4 /_next/data/.json authorization
vuldb·2026-05-13·CVSS 7.5
CVE-2026-44573 [HIGH] vercel next.js up to 15.5.15/16.2.4 /_next/data/.json authorization
A vulnerability was found in vercel next.js up to 15.5.15/16.2.4 and classified as problematic. Impacted is an unknown function of the file /_next/data/.json. The manipulation results in incorrect authorization.
This vulnerability is cataloged as CVE-2026-44573. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
GHSA
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
ghsa·2026-05-11
CVE-2026-44573 [HIGH] CWE-863 Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
### Impact
Applications using the Pages Router with `i18n` configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less `/_next/data//.json` requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.
### Fix
The matcher logic was updated to perform the same match as it would on a non-i18n data route.
### Workarounds
If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.
Red Hat
next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
vendor_redhat·2026-05-13·CVSS 7.5
CVE-2026-44573 [HIGH] CWE-551 next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
A flaw was found in Next.js. Applications utilizing the Pages Router with internationalization (i18n) configured and middleware or proxy-based authorization are susceptible to unauthorized access. A remote attacker can exploit this by making locale-less /_next/data//.json requests, which bypass the intended authorization checks. This allows the attacker to retrieve sensitive server-side rendered (SSR) JSON data from protected pages, leading to information disclosure.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44573 firefox: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 firefox: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
CVE-2026-44573 firefox: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44573 conky: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [epel-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 conky: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [epel-all]
CVE-2026-44573 conky: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44573 icecat: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 icecat: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
CVE-2026-44573 icecat: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44573 thunderbird: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 thunderbird: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
CVE-2026-44573 thunderbird: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44573 conky: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 conky: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
CVE-2026-44573 conky: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44573 mozjs128: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 mozjs128: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
CVE-2026-44573 mozjs128: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44573 mozjs140: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 mozjs140: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
CVE-2026-44573 mozjs140: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44573 next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
bugzilla·2026-05-13·CVSS 7.5
CVE-2026-44573 [HIGH] CVE-2026-44573 next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
CVE-2026-44573 next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
2026-05-13
Published