EXECUTIVE SUMMARY:
A group of vulnerabilities have been identified in the Next.js package, which is used for building server-side and statically generated React applications. These vulnerabilities allow for unauthorized access to protected page data, bypassing middleware and proxy-based authorization checks. This can lead to a significant business risk, as an attacker can potentially gain access to sensitive data and compromise the application. The impact of these vulnerabilities can be severe, resulting in data breaches, financial loss, and reputational damage. CVE-2026-44573 with a CVSS score of 7.5 – Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. An attacker can exploit this vulnerability by sending crafted requests to bypass the intended authorization checks. CVE-2026-44574 with a CVSS score of 8.1 – Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. A specially crafted query parameter can alter the dynamic route value seen by the page, allowing protected content to be rendered without passing the expected middleware check. CVE-2026-44575 with a CVSS score of 7.5 – App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. An attacker can exploit this vulnerability by sending crafted .rsc and segment-prefetch URLs to bypass the intended middleware rule. CVE-2026-44578 with a CVSS score of 8.6 – Next.js is vulnerable to server-side request forgery in applications using WebSocket upgrades. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, exposing internal services or cloud metadata endpoints. CVE-2026-44579 with a CVSS score of 7.5 – Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. A malicious request can trigger a request-body handling deadlock, consuming file descriptors and server capacity until legitimate users are denied service. CVE-2026-45109 with a CVSS score of 7.5 – Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes due to an incomplete fix. This vulnerability allows an attacker to bypass the intended middleware rule by sending crafted .rsc and segment-prefetch URLs, gaining unauthorized access to protected content.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A group of vulnerabilities have been identified in the Next.js package, which is used for building server-side and statically generated React applications. These vulnerabilities allow for unauthorized access to protected page data, bypassing middleware and proxy-based authorization checks. This can lead to a significant business risk, as an attacker can potentially gain access to sensitive data and compromise the application. The impact of these vulnerabilities can be severe, resulting in data breaches, financial loss, and reputational damage. CVE-2026-44573 with a CVSS score of 7.5 – Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. An attacker can exploit this vulnerability by sending crafted requests to bypass the intended authorization checks. CVE-2026-44574 with a CVSS score of 8.1 – Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. A specially crafted query parameter can alter the dynamic route value seen by the page, allowing protected content to be rendered without passing the expected middleware check. CVE-2026-44575 with a CVSS score of 7.5 – App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. An attacker can exploit this vulnerability by sending crafted .rsc and segment-prefetch URLs to bypass the intended middleware rule. CVE-2026-44578 with a CVSS score of 8.6 – Next.js is vulnerable to server-side request forgery in applications using WebSocket upgrades. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, exposing internal services or cloud metadata endpoints. CVE-2026-44579 with a CVSS score of 7.5 – Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. A malicious request can trigger a request-body handling deadlock, consuming file descriptors and server capacity until legitimate users are denied service. CVE-2026-45109 with a CVSS score of 7.5 – Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes due to an incomplete fix. This vulnerability allows an attacker to bypass the intended middleware rule by sending crafted .rsc and segment-prefetch URLs, gaining unauthorized access to protected content.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Next.js to below version: CVE-2026-44573: https://github.com/advisories/GHSA-36qx-fr4f-26g5 CVE-2026-44574: https://github.com/advisories/GHSA-492v-c6pp-mqqv CVE-2026-44575: https://github.com/advisories/GHSA-267c-6grr-h53f CVE-2026-44578: https://github.com/advisories/GHSA-c4j6-fc7j-m34r CVE-2026-44579: https://github.com/advisories/GHSA-mg66-mrh9-m8jx CVE-2026-45109: https://github.com/advisories/GHSA-26hh-7cqf-hhc6
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-36qx-fr4f-26g5
https://github.com/advisories/GHSA-492v-c6pp-mqqv
https://github.com/advisories/GHSA-267c-6grr-h53f
https://github.com/advisories/GHSA-c4j6-fc7j-m34r
https://github.com/advisories/GHSA-mg66-mrh9-m8jx
https://github.com/advisories/GHSA-26hh-7cqf-hhc6