CVE-2026-44575
Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
In short
Next.js App Router has a flaw where special URLs used for prefetching page segments can bypass security checks meant to protect content, allowing unauthorized users to access restricted pages that should require permission.
Technical detail
The vulnerability exists in Next.js 15.2.0 through 15.5.15 and 16.0.0 through 16.2.4, where segment-prefetch and .rsc route variants resolve to protected resources without matching middleware authorization rules. An attacker can craft requests to these transport-specific URLs to access content protected by middleware or proxy-based authorization, circumventing the intended access control.
Summary generated and translated by AI from the official description.
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
vercel · next.jsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →