CVE-2026-44574

Next.js: Middleware / Proxy bypass through dynamic route parameter injection

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 14.05.2026

Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	vercel
Product	next.js
Versions	Version >= 15.4.0, < 15.5.16 is affected Version >= 16.0.0, < 16.2.5 is affected

Vendor

vercel

Product

next.js

Versions

Version >= 15.4.0, < 15.5.16 is affected
Version >= 16.0.0, < 16.2.5 is affected

References

Problem Types

CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE

CVE-2026-44574 PUBLISHED

Next.js: Middleware / Proxy bypass through dynamic route parameter injection

Metrics

Product Status

References

Problem Types