PatchSiren cyber security CVE debrief
CVE-2026-44575 Vercel CVE debrief
CVE-2026-44575 is a high-severity vulnerability in Next.js, a React framework for building full-stack web applications. The vulnerability affects App Router applications that rely on middleware or proxy-based checks for authorization, allowing unauthorized access through specially crafted .rsc and segment-prefetch URLs. This can occur when such URLs resolve to the same page without being matched by the intended middleware rule, bypassing expected authorization checks. The issue was fixed in versions 15.5.16 and 16.2.5 of Next.js. Organizations using affected versions should upgrade to a patched version immediately.
- Vendor
- Vercel
- Product
- Next.js
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Next.js, especially those with applications that rely on middleware or proxy-based authorization checks, should be aware of this vulnerability. Given the high CVSS score of 7.5, this issue is critical for environments where unauthorized access could have significant impacts. Upgrading to a patched version of Next.js is essential to mitigate this risk.
Technical summary
The vulnerability in Next.js arises from how App Router applications handle middleware or proxy-based authorization checks. Specifically, transport-specific route variants used for segment prefetching can be exploited using specially crafted .rsc and segment-prefetch URLs. These URLs can bypass intended middleware rules, allowing access to protected content without proper authorization. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high severity level. The issue is addressed in Next.js versions 15.5.16 and 16.2.5.
Defensive priority
This vulnerability should be prioritized for immediate attention due to its high severity and potential for unauthorized access. Affected Next.js applications should be upgraded to version 15.5.16 or 16.2.5 as soon as possible.
Recommended defensive actions
- Upgrade Next.js to version 15.5.16 or 16.2.5.
- Review and update middleware rules to ensure proper authorization checks.
- Monitor applications for suspicious .rsc and segment-prefetch URL activity.
- Implement additional logging and monitoring for affected applications.
- Verify that all necessary security patches are applied.
Evidence notes
The CVE-2026-44575 vulnerability is documented in the NVD and CVE databases. Vendor advisories and references from Red Hat provide additional context and mitigation strategies. The vulnerability's details and fixes are well-documented, allowing for straightforward remediation.
Official resources
-
CVE-2026-44575 CVE record
CVE.org
-
CVE-2026-44575 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.