Description
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Next.js version 12.2.0 through 15.5.15 and 16.2.4 in Pages Router configurations with i18n enabled allows an attacker to read server‑side rendered JSON for protected pages without authentication, because middleware does not execute for unprefixed /_next/data requests. The flaw yields confidentiality compromise of page content and related data, potentially revealing sensitive application state. The weakness corresponds to missing authorization enforcement (CWE-863) and special‑case logic errors (CWE-551).

Affected Systems

The vulnerability affects Vercel's Next.js framework, specifically versions 12.2.0 to 15.5.15 inclusive and up to 16.2.4. It requires a Pages Router application using i18n and middleware or proxy‑based authorization. Upgrading to 15.5.16 or 16.2.5 removes the issue. If an organization uses a lower or higher unpatched version, they remain at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is 0.00052 (less than 1 %), suggesting a very low probability of exploitation in the wild, but the flaw can still be readily exploited. Because it is not listed in CISA KEV, active exploitation may not yet be widespread, yet it offers a straightforward defacement or data extraction attack path. The most likely attack vector is a direct request to /_next/data/<buildId>/<page>.json, bypassing all middleware checks.

Generated by OpenCVE AI on June 3, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to 15.5.16 or 16.2.5 to eliminate the bypass.
  • If upgrading is not yet feasible, add a middleware check to enforce authentication on all /_next/data requests, including locale‑less routes.
  • Alternatively, configure your CDN or reverse proxy to block unauthenticated requests to /_next/data/<buildId>/<page>.json without proper locale prefixes.

Generated by OpenCVE AI on June 3, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-36qx-fr4f-26g5 Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
History

Wed, 03 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-551
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Middleware / Proxy bypass in Pages Router applications using i18n
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:19:49.658Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44573

cve-icon Vulnrichment

Updated: 2026-05-13T18:11:24.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T17:16:22.627

Modified: 2026-05-14T12:24:22.910

Link: CVE-2026-44573

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T16:48:16Z

Links: CVE-2026-44573 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:00:21Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

  • CWE-863

    Incorrect Authorization