CVE-2026-44576

Next.js: Cache poisoning in React Server Component responses

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 13.05.2026

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	vercel
Product	next.js
Versions	Version >= 14.2.0, < 15.5.16 is affected Version >= 16.0.0, < 16.2.5 is affected

Vendor

vercel

Product

next.js

Versions

Version >= 14.2.0, < 15.5.16 is affected
Version >= 16.0.0, < 16.2.5 is affected

References

Problem Types

CWE-436: Interpretation Conflict CWE

CVE-2026-44576 PUBLISHED

Next.js: Cache poisoning in React Server Component responses

Metrics

Product Status

References

Problem Types