CVE-2026-44581 Overview
CVE-2026-44581 is a stored cross-site scripting (XSS) vulnerability in Next.js, the React framework maintained by Vercel for building full-stack web applications. The flaw affects App Router applications that use Content Security Policy (CSP) nonces and are deployed behind shared caches. Malformed nonce values derived from request headers are reflected into rendered HTML in an unsafe way. An attacker can poison cached responses, causing arbitrary script execution for later visitors of the cached page. The vulnerability is tracked under [CWE-79] and is fixed in Next.js 15.5.16 and 16.2.5.
Critical Impact
An unauthenticated remote attacker can poison shared caches with malicious nonce-derived markup, triggering stored XSS against every subsequent visitor of the cached response.
Affected Products
- Next.js versions 13.4.0 through versions before 15.5.16
- Next.js 16.x versions before 16.2.5
- App Router applications relying on CSP nonces behind shared caches
Discovery Timeline
- 2026-05-13 - CVE-2026-44581 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44581
Vulnerability Analysis
Next.js App Router supports per-request CSP nonces generated from request headers. The framework injects these nonce values into rendered HTML to authorize inline scripts under a strict CSP. The affected versions do not properly validate or sanitize the nonce values before reflecting them into the response body.
When a Next.js application sits behind a shared cache such as a content delivery network (CDN) or reverse proxy, the cache stores rendered HTML keyed on request properties. An attacker who controls the header value used to derive the nonce can submit a malformed payload. The malformed value is reflected into the HTML and persists in the cache. Subsequent visitors receive the poisoned response, and the attacker-controlled markup executes in their browsers within the application origin.
The issue is classified as Improper Neutralization of Input During Web Page Generation [CWE-79]. Successful exploitation requires user interaction and a high-complexity setup involving the shared cache, which is reflected in the medium severity rating.
Root Cause
The root cause is insufficient validation of nonce values derived from untrusted request headers before insertion into HTML output. The framework treats the header-derived nonce as a safe token rather than untrusted input, omitting context-aware escaping for the HTML attribute and script tag contexts where the value is rendered.
Attack Vector
The attack vector is network-based and unauthenticated. An attacker crafts a request containing a malformed header that drives nonce derivation. The shared cache stores the resulting poisoned HTML. Any later user who requests the same cache key receives the attacker's injected script. Exploitation depends on the application's CSP configuration, the cache key behavior, and a victim visiting the cached route.
No verified proof-of-concept code is published. Refer to the GitHub Security Advisory GHSA-ffhc-5mcf-pf4q for vendor technical details.
Detection Methods for CVE-2026-44581
Indicators of Compromise
- Unexpected <script> tags or anomalous nonce attribute values in cached HTML responses served by CDN or reverse-proxy layers.
- Cache entries containing non-alphanumeric or oversized values where a base64 CSP nonce is expected.
- Outbound browser requests from end users to attacker-controlled domains originating from cached Next.js routes.
Detection Strategies
- Inspect CDN and edge cache logs for requests carrying unusual or malformed headers that influence nonce generation.
- Compare freshly rendered server responses against cached responses for the same route to identify drift in nonce-bearing markup.
- Deploy CSP report-only endpoints and monitor report-uri or report-to violations indicating injected inline scripts.
Monitoring Recommendations
- Enable verbose access logging on shared caches and forward logs to a SIEM for correlation with CSP violation reports.
- Alert on Next.js application versions in production that match the affected range 13.4.0 through pre-15.5.16 or pre-16.2.5.
- Track anomalous spikes in identical cache-hit responses to specific routes following requests with unusual header content.
How to Mitigate CVE-2026-44581
Immediate Actions Required
- Upgrade Next.js to 15.5.16 or 16.2.5 across all environments running the App Router.
- Purge all shared cache entries for routes that render CSP nonces to evict any poisoned responses.
- Audit application code paths that generate CSP nonces from request headers and confirm they accept only the framework-supplied values.
Patch Information
Vercel released fixed versions 15.5.16 and 16.2.5 of Next.js. The patches sanitize nonce values before reflecting them into rendered HTML. Review the Next.js GitHub Security Advisory GHSA-ffhc-5mcf-pf4q for the official fix and upgrade guidance.
Workarounds
- Disable shared caching for routes that emit CSP nonces until the framework upgrade is deployed.
- Strip or override client-controlled headers at the CDN or edge layer before they reach the Next.js origin.
- Enforce a strict CSP without unsafe-inline fallback and validate that nonce values match an expected base64 character set at the edge.
# Upgrade Next.js to a fixed version
npm install next@15.5.16
# or for the 16.x branch
npm install next@16.2.5
# Purge CDN cache for nonce-bearing routes (example: Vercel)
vercel cache purge --scope <team>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
