CVE-2026-44575 Overview
CVE-2026-44575 is an authorization bypass vulnerability in Vercel Next.js affecting App Router applications. The flaw exists in versions from 15.2.0 to before 15.5.16 and 16.2.5. Applications that rely on middleware or proxy-based authorization checks can expose protected content through transport-specific route variants used for segment prefetching. Attackers can craft .rsc and segment-prefetch URLs that resolve to the same page without triggering the intended middleware rules. The issue is classified under [CWE-288] Authentication Bypass Using an Alternate Path or Channel. Vercel fixed the vulnerability in Next.js 15.5.16 and 16.2.5.
Critical Impact
Unauthenticated network attackers can bypass middleware authorization checks and access protected pages in affected Next.js App Router applications.
Affected Products
- Vercel Next.js versions 15.2.0 through 15.5.15
- Vercel Next.js versions 16.0.0 through 16.2.4
- App Router applications using middleware or proxy-based authorization
Discovery Timeline
- 2026-05-13 - CVE-2026-44575 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-44575
Vulnerability Analysis
The vulnerability affects Next.js App Router applications that delegate authorization decisions to middleware or upstream proxies. Next.js exposes multiple transport-specific URL variants that resolve to the same underlying page component. These variants include React Server Component (.rsc) requests and segment-prefetch URLs used to optimize client-side navigation.
Middleware rules typically match against the canonical route path. When a request arrives using a prefetch or .rsc variant, the matcher logic can fail to apply the same rule. The request then reaches the page handler without the authorization check, returning protected content to the unauthenticated caller.
The vulnerability requires no privileges, no user interaction, and is exploitable over the network. Impact is limited to confidentiality, since the bypass exposes data but does not modify state or affect availability.
Root Cause
The root cause is inconsistent route matching between middleware and the App Router runtime. Middleware patterns evaluate against the request path as observed at the edge. Segment prefetch and .rsc URLs use suffixes and query parameters that change the path string while still resolving to the same page component downstream. This mismatch allows alternate-channel access to protected routes [CWE-288].
Attack Vector
An attacker identifies a protected route guarded by Next.js middleware or a reverse proxy. The attacker then issues a request to the equivalent .rsc or segment-prefetch URL for that route. The middleware matcher does not apply to the variant, and the server returns the rendered server component payload containing the protected data. No authentication or session token is required.
The vulnerability mechanism is described in the Vercel Security Advisory GHSA-267c-6grr-h53f. No public proof-of-concept or exploit code is available at this time.
Detection Methods for CVE-2026-44575
Indicators of Compromise
- HTTP requests to URLs containing .rsc suffixes or _rsc query parameters targeting routes that require authentication
- Access log entries showing successful 200 responses to prefetch variants of protected routes without prior session establishment
- Spike in segment-prefetch traffic from clients that never completed an authenticated navigation flow
Detection Strategies
- Compare request paths reaching application handlers against paths evaluated by middleware to identify variant bypass patterns
- Inspect server-side telemetry for responses containing serialized React Server Component payloads delivered to unauthenticated sessions
- Correlate edge proxy logs with origin logs to surface requests that skipped expected authorization middleware
Monitoring Recommendations
- Log the resolved page component and the middleware decision for every request to enable variant-mismatch detection
- Alert on anomalous request rates for .rsc and prefetch URLs from single source IPs
- Monitor for outbound responses from protected routes with content lengths matching authenticated payloads but without associated session cookies
How to Mitigate CVE-2026-44575
Immediate Actions Required
- Upgrade Next.js to version 15.5.16 if running the 15.x branch or to 16.2.5 if running the 16.x branch
- Audit App Router applications for routes protected only by middleware or proxy-based authorization rules
- Move authorization checks into page-level or layout-level server code so they apply regardless of transport variant
Patch Information
Vercel released fixes in Next.js 15.5.16 and 16.2.5. The patches normalize matcher behavior so middleware applies consistently to canonical paths, .rsc requests, and segment-prefetch variants. See the Vercel Security Advisory GHSA-267c-6grr-h53f for upgrade guidance.
Workarounds
- Implement authorization checks inside server components and route handlers rather than relying solely on middleware
- Add edge or reverse-proxy rules that block direct external requests to .rsc and segment-prefetch URLs for protected routes
- Expand middleware matchers to explicitly cover variant URL patterns until patched versions can be deployed
# Configuration example
npm install next@15.5.16
# or for the 16.x branch
npm install next@16.2.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
