CVE-2026-44572 Overview
CVE-2026-44572 is a cache poisoning vulnerability in Vercel Next.js affecting versions 12.2.0 through 15.5.15 and 16.0.0 through 16.2.4. The flaw allows an external attacker to send a crafted x-nextjs-data header to a middleware-handled path that returns a redirect. Next.js then replaces the standard Location header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, producing a broken redirect response. When deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single request can poison the cached redirect and deny service to subsequent visitors. The issue is tracked under [CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data].
Critical Impact
A single unauthenticated HTTP request can poison cached redirect responses on shared CDN infrastructure, causing denial of service for any user visiting affected redirect paths until the cache entry expires.
Affected Products
- Vercel Next.js versions 12.2.0 through 15.5.15
- Vercel Next.js versions 16.0.0 through 16.2.4
- Applications using Next.js middleware that returns redirects behind a caching CDN or reverse proxy
Discovery Timeline
- 2026-05-13 - CVE-2026-44572 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-44572
Vulnerability Analysis
The vulnerability stems from how Next.js middleware processes the x-nextjs-data header. This header signals that the request originates from the Next.js client-side router and expects a data response rather than a full HTML page. When middleware returns a redirect for such a request, Next.js rewrites the response to use the internal x-nextjs-redirect header instead of the HTTP-standard Location header.
This behavior is correct for legitimate internal data requests. The defect is that any external client can supply the x-nextjs-data header on a normal browser request. Next.js trusts the header without validating its origin, satisfying the conditions described in [CWE-349]. The resulting response carries a 3xx status code but no Location header, so browsers cannot follow the redirect.
The denial-of-service impact materializes at the cache layer. CDNs and reverse proxies routinely cache 3xx responses. If the cache key does not include the x-nextjs-data header in its Vary configuration, the poisoned response is served to every subsequent visitor of that path.
Root Cause
Next.js middleware accepts the x-nextjs-data header from untrusted external clients and uses it to switch the redirect response format. The framework does not distinguish between legitimate internal router requests and forged external requests carrying the same header.
Attack Vector
The attacker sends an HTTP request to a middleware-handled redirect path with the x-nextjs-data: 1 header. The Next.js application returns a 3xx response containing x-nextjs-redirect instead of Location. A caching layer in front of the application stores this response under the standard URL cache key. Subsequent visitors receive the broken redirect from cache, breaking navigation for the affected path until the entry is evicted or purged. Exploitation requires no authentication and no user interaction.
Detection Methods for CVE-2026-44572
Indicators of Compromise
- HTTP requests containing the x-nextjs-data header originating from clients that did not first load a Next.js page
- Cached 3xx responses from CDN edges that lack a Location header but contain x-nextjs-redirect
- User reports of broken navigation or stalled redirects affecting a specific path simultaneously across many clients
- Spikes in error logs from client-side routing for paths handled by middleware
Detection Strategies
- Inspect CDN access logs for inbound requests containing x-nextjs-data paired with browser-typical User-Agent and Accept: text/html values
- Audit Next.js middleware routes that issue redirects and verify cache headers on responses
- Probe production redirect endpoints with synthetic monitoring that asserts a Location header is present on 3xx responses
Monitoring Recommendations
- Alert on elevated rates of 3xx cache hits without a Location header at the edge
- Monitor client-side navigation telemetry for sustained redirect failures on specific paths
- Track the Next.js version inventory across deployments to identify unpatched applications
How to Mitigate CVE-2026-44572
Immediate Actions Required
- Upgrade Next.js to version 15.5.16 or 16.2.5 for affected branches
- Configure the upstream CDN or reverse proxy to include x-nextjs-data in the Vary header or cache key for middleware-handled paths
- Purge cached redirect responses for paths served by middleware after applying the patch
- Inventory all Next.js applications and identify those in the affected version range
Patch Information
Vercel fixed the vulnerability in Next.js 15.5.16 and 16.2.5. The patched versions prevent middleware from rewriting redirects to x-nextjs-redirect when the x-nextjs-data header arrives from an external client context. Details are published in the GitHub Security Advisory GHSA-3g8h-86w9-wvmq.
Workarounds
- Strip the x-nextjs-data header from inbound requests at the edge before they reach the Next.js application
- Disable caching of 3xx responses for paths handled by middleware until the patch is deployed
- Add Vary: x-nextjs-data to redirect responses originating from middleware to prevent cross-client cache poisoning
# Example: strip x-nextjs-data at an Nginx reverse proxy
location / {
proxy_set_header x-nextjs-data "";
proxy_pass http://nextjs_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
