PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44575 Vercel CVE debrief

CVE-2026-44575 is a high-severity vulnerability in Next.js, a React framework for building full-stack web applications. The vulnerability affects App Router applications that rely on middleware or proxy-based checks for authorization, allowing unauthorized access through specially crafted .rsc and segment-prefetch URLs. This can occur when such URLs resolve to the same page without being matched by the intended middleware rule, bypassing expected authorization checks. The issue was fixed in versions 15.5.16 and 16.2.5 of Next.js. Organizations using affected versions should upgrade to a patched version immediately.

Vendor
Vercel
Product
Next.js
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-06-30
Advisory published
2026-05-13
Advisory updated
2026-06-30

Who should care

Developers and administrators using Next.js, especially those with applications that rely on middleware or proxy-based authorization checks, should be aware of this vulnerability. Given the high CVSS score of 7.5, this issue is critical for environments where unauthorized access could have significant impacts. Upgrading to a patched version of Next.js is essential to mitigate this risk.

Technical summary

The vulnerability in Next.js arises from how App Router applications handle middleware or proxy-based authorization checks. Specifically, transport-specific route variants used for segment prefetching can be exploited using specially crafted .rsc and segment-prefetch URLs. These URLs can bypass intended middleware rules, allowing access to protected content without proper authorization. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high severity level. The issue is addressed in Next.js versions 15.5.16 and 16.2.5.

Defensive priority

This vulnerability should be prioritized for immediate attention due to its high severity and potential for unauthorized access. Affected Next.js applications should be upgraded to version 15.5.16 or 16.2.5 as soon as possible.

Recommended defensive actions

  • Upgrade Next.js to version 15.5.16 or 16.2.5.
  • Review and update middleware rules to ensure proper authorization checks.
  • Monitor applications for suspicious .rsc and segment-prefetch URL activity.
  • Implement additional logging and monitoring for affected applications.
  • Verify that all necessary security patches are applied.

Evidence notes

The CVE-2026-44575 vulnerability is documented in the NVD and CVE databases. Vendor advisories and references from Red Hat provide additional context and mitigation strategies. The vulnerability's details and fixes are well-documented, allowing for straightforward remediation.

Official resources

This article is AI-assisted and based on the supplied source corpus.