CVE-2026-44574: Vercel Next.js Auth Bypass Vulnerability

CVE-2026-44574 Overview

CVE-2026-44574 is an authorization bypass vulnerability in Vercel Next.js, a React framework for full-stack web applications. The flaw affects versions from 15.4.0 up to (but not including) 15.5.16 and 16.2.5. Applications that rely on middleware to protect dynamic routes are at risk. Attackers can craft query parameters that alter the dynamic route value seen by the page while leaving the visible path unchanged. This discrepancy causes protected content to render without passing the expected middleware check. The vulnerability is tracked as [CWE-288: Authentication Bypass Using an Alternate Path or Channel].

Critical Impact
Authenticated attackers can bypass middleware-based authorization controls and access protected dynamic routes, exposing confidential content and enabling unauthorized actions across affected Next.js deployments.

Affected Products

Vercel Next.js versions 15.4.0 through 15.5.15
Vercel Next.js versions 16.0.0 through 16.2.4
Next.js deployments running on Node.js that use middleware to enforce route authorization

Discovery Timeline

2026-05-13 - CVE-2026-44574 published to NVD
2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-44574

Vulnerability Analysis

The vulnerability arises from inconsistent handling of dynamic route parameters between the Next.js middleware layer and the page rendering layer. Middleware in Next.js inspects the incoming request path and applies access controls based on the route segment matched at the edge. The page handler subsequently resolves the same dynamic segment when rendering content.

Attackers can submit specially crafted query parameters that influence the dynamic route value resolved by the page without modifying the URL path observed by middleware. The middleware evaluates the original path and grants access, while the page handler renders a different protected resource based on the manipulated parameter. Successful exploitation grants confidentiality and integrity impact on protected resources without affecting availability.

Root Cause

The root cause is a route resolution inconsistency between request interception in middleware and dynamic segment evaluation during page rendering. Next.js trusts that the path seen by middleware matches the route ultimately rendered. Query parameters that override or shadow the dynamic segment break this assumption. Authorization decisions are therefore made against a different route than the one served, satisfying the conditions of [CWE-288].

Attack Vector

Exploitation requires network access and low-privileged authentication, with no user interaction. An attacker sends a request to a permitted route, such as a user's own resource path, and appends query parameters that cause the page to resolve a protected dynamic route value. Middleware approves the request based on the visible path. The page renders the unauthorized resource, returning protected data to the attacker.

No verified public exploit code is available. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-492v-c6pp-mqqv.

Detection Methods for CVE-2026-44574

Indicators of Compromise

Web server access logs showing requests to permitted routes accompanied by unusual or unexpected query parameters that match dynamic segment names
Application logs where the middleware-evaluated path and the rendered route identifier diverge for the same request
Successful authorized responses for resources that the authenticated principal should not be able to access

Detection Strategies

Correlate middleware authorization decisions with the final route resolved by the page handler and alert on mismatches
Inspect HTTP request telemetry for query parameter keys that collide with dynamic route segment names such as id, slug, or userId
Compare resource identifiers returned in responses against the session principal's authorized resource scope

Monitoring Recommendations

Enable verbose logging in Next.js middleware to capture both the incoming request.nextUrl.pathname and the parameters used for downstream rendering
Forward Next.js application and reverse proxy logs to a centralized analytics platform for cross-layer correlation
Establish baselines for query parameter usage on protected dynamic routes and alert on statistical anomalies

How to Mitigate CVE-2026-44574

Immediate Actions Required

Upgrade Next.js to version 15.5.16 for the 15.x branch or 16.2.5 for the 16.x branch
Audit all middleware-based authorization logic and re-validate authorization within page handlers and server actions as a defense-in-depth measure
Review recent access logs for protected dynamic routes to identify potential exploitation attempts since 15.4.0 was deployed

Patch Information

Vercel has released fixed versions 15.5.16 and 16.2.5. Refer to the Vercel Next.js Security Advisory GHSA-492v-c6pp-mqqv for full remediation details. Upgrading is the only complete fix.

Workarounds

Enforce authorization checks inside page components, server actions, and API route handlers rather than relying solely on middleware
Strip or normalize incoming query parameters that share names with dynamic route segments before passing them to page handlers
Deploy a reverse proxy or web application firewall rule that rejects requests where query parameters duplicate dynamic segment keys on protected routes

bash

# Upgrade to a patched Next.js release
npm install next@15.5.16
# or for the 16.x branch
npm install next@16.2.5

# Verify the installed version
npx next --version

CVE-2026-44574 Overview

Critical Impact
Authenticated attackers can bypass middleware-based authorization controls and access protected dynamic routes, exposing confidential content and enabling unauthorized actions across affected Next.js deployments.

Affected Products

Vercel Next.js versions 15.4.0 through 15.5.15
Vercel Next.js versions 16.0.0 through 16.2.4
Next.js deployments running on Node.js that use middleware to enforce route authorization

Discovery Timeline

2026-05-13 - CVE-2026-44574 published to NVD
2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-44574

Vulnerability Analysis

Root Cause

Attack Vector

No verified public exploit code is available. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-492v-c6pp-mqqv.

Detection Methods for CVE-2026-44574

Indicators of Compromise

Web server access logs showing requests to permitted routes accompanied by unusual or unexpected query parameters that match dynamic segment names
Application logs where the middleware-evaluated path and the rendered route identifier diverge for the same request
Successful authorized responses for resources that the authenticated principal should not be able to access

Detection Strategies

Correlate middleware authorization decisions with the final route resolved by the page handler and alert on mismatches
Inspect HTTP request telemetry for query parameter keys that collide with dynamic route segment names such as id, slug, or userId
Compare resource identifiers returned in responses against the session principal's authorized resource scope

Monitoring Recommendations

Enable verbose logging in Next.js middleware to capture both the incoming request.nextUrl.pathname and the parameters used for downstream rendering
Forward Next.js application and reverse proxy logs to a centralized analytics platform for cross-layer correlation
Establish baselines for query parameter usage on protected dynamic routes and alert on statistical anomalies

How to Mitigate CVE-2026-44574

Immediate Actions Required

Upgrade Next.js to version 15.5.16 for the 15.x branch or 16.2.5 for the 16.x branch
Audit all middleware-based authorization logic and re-validate authorization within page handlers and server actions as a defense-in-depth measure
Review recent access logs for protected dynamic routes to identify potential exploitation attempts since 15.4.0 was deployed

Patch Information

Vercel has released fixed versions 15.5.16 and 16.2.5. Refer to the Vercel Next.js Security Advisory GHSA-492v-c6pp-mqqv for full remediation details. Upgrading is the only complete fix.

Workarounds

Enforce authorization checks inside page components, server actions, and API route handlers rather than relying solely on middleware
Strip or normalize incoming query parameters that share names with dynamic route segments before passing them to page handlers
Deploy a reverse proxy or web application firewall rule that rejects requests where query parameters duplicate dynamic segment keys on protected routes

bash

# Upgrade to a patched Next.js release
npm install next@15.5.16
# or for the 16.x branch
npm install next@16.2.5

# Verify the installed version
npx next --version

CVE-2026-44574: Vercel Next.js Auth Bypass Vulnerability

CVE-2026-44574 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-44574

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-44574

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-44574

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-44574: Vercel Next.js Auth Bypass Vulnerability

CVE-2026-44574 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-44574

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-44574

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-44574

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform