CVE-2026-44575
published 2026-05-13CVE-2026-44575: Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.42%
69.4th percentile
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| next | next | — | — |
| next | next | >= 15.2.0 < 15.5.18 | 15.5.18 |
| next | next | >= 15.2.0 < 15.5.16 | 15.5.16 |
| next | next | >= 16.0.0 < 16.2.6 | 16.2.6 |
| next | next | >= 16.0.0 < 16.2.5 | 16.2.5 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 15.2.0 < 15.5.16 | 15.5.16 |
| vercel | next.js | >= 15.2.0 < 15.5.18 | 15.5.18 |
| vercel | next.js | >= 16.0.0 < 16.2.5 | 16.2.5 |
| vercel | next.js | >= 16.0.0 < 16.2.6 | 16.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vercel next.js up to 15.5.15/16.2.4 authentication bypass
vuldb·2026-05-13·CVSS 7.5
CVE-2026-44575 [HIGH] vercel next.js up to 15.5.15/16.2.4 authentication bypass
A vulnerability was found in vercel next.js up to 15.5.15/16.2.4. It has been classified as critical. The affected element is an unknown function. This manipulation causes authentication bypass using alternate channel.
This vulnerability is registered as CVE-2026-44575. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
GHSA
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
ghsa·2026-05-11
CVE-2026-45109 [HIGH] CWE-288 Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
### Impact
It was found that the fix addressing [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) did not apply to `middleware.ts` with Turbopack. Refer to [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) for further details.
### References
- [CVE CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f)
GHSA
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
ghsa·2026-05-11
CVE-2026-44575 [HIGH] CWE-288 Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
### Impact
App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted `.rsc` and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.
### Fix
We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.
### Workarounds
If you cannot upgrade immediately,
Red Hat
next.js: Next.js: Unauthorized access to protected content via middleware bypass
vendor_redhat·2026-05-13·CVSS 7.5
CVE-2026-44575 [HIGH] CWE-551 next.js: Next.js: Unauthorized access to protected content via middleware bypass
next.js: Next.js: Unauthorized access to protected content via middleware bypass
A flaw was found in Next.js. App Router applications that use middleware or proxy-based authorization checks are vulnerable to unauthorized access. A remote attacker can exploit this by crafting specific .rsc and segment-prefetch URLs, which bypass the intended middleware rules. This allows access to protected content without proper authorization.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: firefox (Red Hat Enterprise Linux 10) - Affected
Package: thunderbird (Red Hat Enterprise Linux 10) - Affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44575 conky: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 conky: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
CVE-2026-44575 conky: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44575 icecat: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 icecat: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
CVE-2026-44575 icecat: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44575 conky: Next.js: Unauthorized access to protected content via middleware bypass [epel-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 conky: Next.js: Unauthorized access to protected content via middleware bypass [epel-all]
CVE-2026-44575 conky: Next.js: Unauthorized access to protected content via middleware bypass [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44575 mozjs140: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 mozjs140: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
CVE-2026-44575 mozjs140: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44575 thunderbird: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 thunderbird: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
CVE-2026-44575 thunderbird: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44575 mozjs128: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 mozjs128: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
CVE-2026-44575 mozjs128: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44575 firefox: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 firefox: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
CVE-2026-44575 firefox: Next.js: Unauthorized access to protected content via middleware bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
bugzilla·2026-05-13·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
CVE-2026-45109 next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
Bugzilla
CVE-2026-44575 next.js: Next.js: Unauthorized access to protected content via middleware bypass
bugzilla·2026-05-13·CVSS 7.5
CVE-2026-44575 [HIGH] CVE-2026-44575 next.js: Next.js: Unauthorized access to protected content via middleware bypass
CVE-2026-44575 next.js: Next.js: Unauthorized access to protected content via middleware bypass
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
2026-05-13
Published