CVE-2026-44582 Overview
CVE-2026-44582 is a cache poisoning vulnerability in Next.js, the React framework for building full-stack web applications. The flaw affects versions from 13.4.6 up to (but not including) 15.5.16 and 16.2.5. React Server Component (RSC) responses can be poisoned in deployments that rely on shared caches with insufficient response partitioning. Collisions in the _rsc cache-busting value allow an attacker to poison cache entries, causing users to receive the wrong response variant for a given URL. The issue is classified under [CWE-328] (Use of Weak Hash) and has been fixed in Next.js 15.5.16 and 16.2.5.
Critical Impact
Attackers can cause users to receive incorrect cached response variants, potentially exposing alternate content or breaking application integrity under specific shared cache configurations.
Affected Products
- Next.js versions 13.4.6 through 15.5.15
- Next.js versions 16.0.0 through 16.2.4
- Deployments using shared caches with insufficient response partitioning
Discovery Timeline
- 2026-05-13 - CVE CVE-2026-44582 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44582
Vulnerability Analysis
Next.js uses a query parameter named _rsc as a cache-busting token to distinguish between standard HTML responses and React Server Component payload responses for the same URL. The token serves to partition cached content so intermediate caches and content delivery networks (CDNs) return the correct variant.
The vulnerability stems from the weakness of the _rsc value. Because the token has insufficient entropy, collisions are reachable by an attacker who can predict or brute-force values. When two requests share the same _rsc value but expect different content variants, a shared cache can store one variant and serve it to clients expecting the other.
The practical impact depends on deployment topology. Sites that rely on shared upstream caches or CDNs that key on URL plus the _rsc parameter without additional partitioning are exposed. The integrity impact is limited to served content, with no direct confidentiality or availability impact according to the CVSS vector.
Root Cause
The root cause is the use of a weak hashing or token generation scheme for the _rsc cache-busting parameter [CWE-328]. The generated value does not provide sufficient uniqueness to prevent collisions across response variants, which breaks the cache partitioning invariant the framework relies on.
Attack Vector
An attacker sends crafted HTTP requests to a vulnerable Next.js application fronted by a shared cache. By manipulating or guessing the _rsc token, the attacker primes the cache with a response variant. Subsequent users requesting the same URL receive the poisoned cached response instead of the correct variant. Exploitation requires high attack complexity and no authentication or user interaction. See the GitHub Security Advisory GHSA-vfv6-92ff-j949 for additional technical detail.
Detection Methods for CVE-2026-44582
Indicators of Compromise
- Unexpected RSC payload content returned for HTML page requests, or vice versa, under the same URL
- Anomalous volumes of requests containing the _rsc query parameter from a small set of source addresses
- Cache hit logs showing the same _rsc value mapped to differing response bodies over time
Detection Strategies
- Inventory all Next.js deployments and compare versions against the fixed releases 15.5.16 and 16.2.5
- Review CDN and reverse proxy cache key configurations to confirm response variants are partitioned beyond URL plus _rsc
- Inspect application access logs for repeated requests targeting the same path with varying _rsc token values
Monitoring Recommendations
- Enable cache hit and miss telemetry at the CDN tier and alert on response content-type mismatches for cached entries
- Monitor for elevated 4xx and 5xx rates following requests with manipulated _rsc parameters
- Forward web application and CDN logs to a centralized analytics platform to correlate cache behavior with client-reported anomalies
How to Mitigate CVE-2026-44582
Immediate Actions Required
- Upgrade Next.js to version 15.5.16 or 16.2.5, depending on the major release in use
- Audit shared cache configurations and add response partitioning by Accept header or RSC request header where supported
- Purge existing cached entries that may contain poisoned RSC or HTML responses after upgrading
Patch Information
The Next.js maintainers fixed the issue in releases 15.5.16 and 16.2.5. Patch notes and remediation details are documented in the Vercel Next.js Security Advisory GHSA-vfv6-92ff-j949. Operators should plan an upgrade and validate cache behavior in staging before production rollout.
Workarounds
- Configure CDN or reverse proxy cache keys to include the RSC request header so HTML and RSC variants are stored separately
- Disable shared caching for RSC routes until the patched version can be deployed
- Restrict cache TTLs for affected routes to limit the window during which poisoned content can be served
# Configuration example - Upgrade Next.js to a fixed version
npm install next@15.5.16
# or
npm install next@16.2.5
# Verify installed version
npx next --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
