CVE-2026-45109
published 2026-05-13CVE-2026-45109: Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.51%
39.3th percentile
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| next | next | — | — |
| next | next | >= 15.2.0 < 15.5.18 | 15.5.18 |
| next | next | >= 16.0.0 < 16.2.6 | 16.2.6 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | >= 15.2.0 < 15.5.18 | 15.5.18 |
| vercel | next.js | >= 16.0.0 < 16.2.6 | 16.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
vendor_redhat·2026-05-13·CVSS 7.5
CVE-2026-45109 [HIGH] CWE-358 next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
A flaw was found in Next.js. A remote unauthenticated attacker could exploit a bypass in a security fix when using middleware.ts with Turbopack. This vulnerability could lead to the disclosure of sensitive information.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: firefox (Red Hat Enterprise Linux 10) - Affected
Package: thunderbird (Red Hat Enterprise Linux 10) - Affected
Package: firefox (Red Hat Enterprise Linux 7) - Affected
Package: firefox (Red Hat Enterprise Linux 8) - Affected
GHSA
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
ghsa·2026-05-11
CVE-2026-45109 [HIGH] CWE-288 Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
### Impact
It was found that the fix addressing [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) did not apply to `middleware.ts` with Turbopack. Refer to [CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) for further details.
### References
- [CVE CVE-2026-44575](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f)
VulDB
next.js App Router Application authentication bypass
vuldb·2026-05-11
CVE-2026-45109 [CRITICAL] next.js App Router Application authentication bypass
A vulnerability identified as critical has been detected in next.js. This affects an unknown part of the component App Router Application. This manipulation causes authentication bypass using alternate channel.
The identification of this vulnerability is CVE-2026-45109. It is possible to initiate the attack remotely. There is no exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-45109 conky: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [epel-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 conky: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [epel-all]
CVE-2026-45109 conky: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 mozjs128: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 mozjs128: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
CVE-2026-45109 mozjs128: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 conky: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 conky: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
CVE-2026-45109 conky: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 mozjs140: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 mozjs140: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
CVE-2026-45109 mozjs140: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 firefox: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 firefox: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
CVE-2026-45109 firefox: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 thunderbird: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 thunderbird: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
CVE-2026-45109 thunderbird: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 icecat: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 icecat: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
CVE-2026-45109 icecat: Next.js: Information disclosure via security fix bypass in middleware with Turbopack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-45109 next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
bugzilla·2026-05-13·CVSS 7.5
CVE-2026-45109 [HIGH] CVE-2026-45109 next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
CVE-2026-45109 next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
2026-05-13
Published