Description
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Next.js version 12.2.0 through 15.5.15 and 16.2.4 in Pages Router configurations with i18n enabled allows an attacker to read server‑side rendered JSON for protected pages without authentication, because middleware does not execute for unprefixed /_next/data requests. The flaw yields confidentiality compromise of page content and related data, potentially revealing sensitive application state. The weakness corresponds to missing authorization enforcement (CWE-863).

Affected Systems

The vulnerability affects Vercel's Next.js framework, specifically versions 12.2.0 to 15.5.15 inclusive and up to 16.2.4. It requires a Pages Router application using i18n and middleware or proxy‑based authorization. Upgrading to 15.5.16 or 16.2.5 removes the issue. If an organization uses a lower or higher unpatched version, they remain at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. No EPSS data is available, but the flaw is exploitable through direct URL construction without authentication, implying a low barrier to execution. Because it remains unpublished in the CISA KEV catalog, active exploitation may not yet be widespread, yet the vulnerability offers a straightforward defacement or data extraction attack path. The most likely attack vector is a direct request to /_next/data/<buildId>/<page>.json, bypassing all middleware checks.

Generated by OpenCVE AI on May 13, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to 15.5.16 or 16.2.5 to eliminate the bypass.
  • If upgrading is not yet feasible, add a middleware check to enforce authentication on all /_next/data requests, including locale‑less routes.
  • Alternatively, configure your CDN or reverse proxy to block unauthenticated requests to /_next/data/<buildId>/<page>.json without proper locale prefixes.

Generated by OpenCVE AI on May 13, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-36qx-fr4f-26g5 Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
History

Thu, 14 May 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Middleware / Proxy bypass in Pages Router applications using i18n
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:19:49.658Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44573

cve-icon Vulnrichment

Updated: 2026-05-13T18:11:24.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T17:16:22.627

Modified: 2026-05-14T12:24:22.910

Link: CVE-2026-44573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T19:00:15Z

Weaknesses