PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44579 Vercel CVE debrief

CVE-2026-44579 is a high-severity vulnerability affecting Next.js, a popular React framework for building full-stack web applications. The vulnerability, which has a CVSS score of 7.5, can lead to connection exhaustion through crafted POST requests to a server action. This can occur when applications use Partial Prerendering through the Cache Components feature. A malicious request can trigger a request-body handling deadlock, leaving connections open for an extended period and consuming file descriptors and server capacity. As a result, legitimate users may be denied service. The vulnerability is fixed in Next.js versions 15.5.16 and 16.2.5.

Vendor
Vercel
Product
Next.js
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-06-30
Advisory published
2026-05-13
Advisory updated
2026-06-30

Who should care

Developers and administrators using Next.js, especially those utilizing Partial Prerendering through the Cache Components feature, should be aware of this vulnerability. They should assess their applications' exposure and update to a patched version as soon as possible. Additionally, users of Red Hat products that incorporate Next.js may need to apply mitigations or patches provided by Red Hat.

Technical summary

The CVE-2026-44579 vulnerability in Next.js arises from a flaw in handling POST requests to server actions when Partial Prerendering through Cache Components is enabled. By sending crafted requests, an attacker can cause a deadlock in request-body handling, leading to open connections and resource consumption. This can result in denial of service for legitimate users. The vulnerability is characterized by a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The issue is addressed in Next.js versions 15.5.16 and 16.2.5.

Defensive priority

This vulnerability has a high CVSS score of 7.5 and can lead to denial of service, making it a priority for defenders to address. Immediate action should be taken to assess exposure and apply patches or mitigations.

Recommended defensive actions

  • Assess if the application uses Partial Prerendering through the Cache Components feature and is running a vulnerable version of Next.js.
  • Update Next.js to version 15.5.16 or 16.2.5, or a later patched version.
  • Review server configurations to ensure that timeouts and resource limits are appropriately set to mitigate the impact of potential attacks.
  • Monitor for unusual patterns of POST requests to server actions that could indicate attempted exploitation.
  • Consider implementing Web Application Firewalls (WAFs) or similar protective measures to detect and block suspicious traffic.

Evidence notes

The CVE-2026-44579 vulnerability is documented in the official CVE record and the NVD database. Additional information and mitigations are provided by Vercel and Red Hat. The vulnerability affects Next.js versions prior to 15.5.16 and 16.2.5. The CVSS score and vector are based on the NVD's assessment.

Official resources

This article is AI-assisted and based on the supplied source corpus.