CVE-2026-44574
published 2026-05-13CVE-2026-44574: Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to…
PriorityP352high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.45%
35.8th percentile
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| next | next | — | — |
| next | next | >= 15.4.0 < 15.5.16 | 15.5.16 |
| next | next | >= 16.0.0 < 16.2.5 | 16.2.5 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 15.4.0 < 15.5.16 | 15.5.16 |
| vercel | next.js | >= 16.0.0 < 16.2.5 | 16.2.5 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vercel next.js up to 15.5.15/16.2.4 Query authentication bypass
vuldb·2026-05-13·CVSS 8.1
CVE-2026-44574 [HIGH] vercel next.js up to 15.5.15/16.2.4 Query authentication bypass
A vulnerability classified as critical was found in vercel next.js up to 15.5.15/16.2.4. Affected by this issue is some unknown functionality of the component Query Handler. Such manipulation leads to authentication bypass using alternate channel.
This vulnerability is referenced as CVE-2026-44574. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is advised.
GHSA
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
ghsa·2026-05-11
CVE-2026-44574 [HIGH] CWE-288 Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
### Impact
Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.
### Fix
We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.
### Workarounds
If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path mat
Red Hat
Next.js: Next.js: Authorization bypass via crafted query parameters
vendor_redhat·2026-05-13·CVSS 8.1
CVE-2026-44574 [HIGH] CWE-551 Next.js: Next.js: Authorization bypass via crafted query parameters
Next.js: Next.js: Authorization bypass via crafted query parameters
A flaw was found in Next.js. This vulnerability allows an attacker to bypass security checks in web applications that use Next.js middleware to protect specific web pages. By sending specially crafted web addresses, an attacker can access protected content without proper authorization. This could lead to unauthorized viewing of sensitive information or access to restricted features.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: firefox (Red Hat Enterprise Linux 10) - Affected
Package: thunderbird (Red Hat Enterpri
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44574 conky: Next.js: Authorization bypass via crafted query parameters [epel-all]
bugzilla·2026-06-02·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 conky: Next.js: Authorization bypass via crafted query parameters [epel-all]
CVE-2026-44574 conky: Next.js: Authorization bypass via crafted query parameters [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44574 firefox: Next.js: Authorization bypass via crafted query parameters [fedora-all]
bugzilla·2026-06-02·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 firefox: Next.js: Authorization bypass via crafted query parameters [fedora-all]
CVE-2026-44574 firefox: Next.js: Authorization bypass via crafted query parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44574 thunderbird: Next.js: Authorization bypass via crafted query parameters [fedora-all]
bugzilla·2026-06-02·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 thunderbird: Next.js: Authorization bypass via crafted query parameters [fedora-all]
CVE-2026-44574 thunderbird: Next.js: Authorization bypass via crafted query parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44574 mozjs128: Next.js: Authorization bypass via crafted query parameters [fedora-all]
bugzilla·2026-06-02·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 mozjs128: Next.js: Authorization bypass via crafted query parameters [fedora-all]
CVE-2026-44574 mozjs128: Next.js: Authorization bypass via crafted query parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44574 conky: Next.js: Authorization bypass via crafted query parameters [fedora-all]
bugzilla·2026-06-02·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 conky: Next.js: Authorization bypass via crafted query parameters [fedora-all]
CVE-2026-44574 conky: Next.js: Authorization bypass via crafted query parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44574 mozjs140: Next.js: Authorization bypass via crafted query parameters [fedora-all]
bugzilla·2026-06-02·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 mozjs140: Next.js: Authorization bypass via crafted query parameters [fedora-all]
CVE-2026-44574 mozjs140: Next.js: Authorization bypass via crafted query parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44574 icecat: Next.js: Authorization bypass via crafted query parameters [fedora-all]
bugzilla·2026-06-02·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 icecat: Next.js: Authorization bypass via crafted query parameters [fedora-all]
CVE-2026-44574 icecat: Next.js: Authorization bypass via crafted query parameters [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44574 Next.js: Next.js: Authorization bypass via crafted query parameters
bugzilla·2026-05-13·CVSS 8.1
CVE-2026-44574 [HIGH] CVE-2026-44574 Next.js: Next.js: Authorization bypass via crafted query parameters
CVE-2026-44574 Next.js: Next.js: Authorization bypass via crafted query parameters
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
2026-05-13
Published