Description
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to craft query parameters that alter the dynamic route value recognized by the page while preserving the visible path. The result is an authorization bypass: protected content can be rendered when the expected middleware check is skipped. Because of this, sensitive information can be exposed without proper authentication. The flaw is classified as CWE-288, an authorization bypass through privilege escalation scenario.

Affected Systems

Applications built with Vercel's Next.js library from versions 15.4.0 up to, but not including, 15.5.16, and from 16.2.5 and earlier, are affected. The vulnerability has been resolved in Next.js 15.5.16 and 16.2.5. Any deployment using a vulnerable range of versions should be considered at risk.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, but the EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw via HTTP requests with crafted query strings, so the attack vector is likely remote over the web. Because the flaw can be triggered by a simple URL manipulation, many attackers could potentially take advantage, especially if the application exposes sensitive dynamic routes. Administrators should treat this as a high‑risk issue and prioritize remediation accordingly.

Generated by OpenCVE AI on May 13, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or later 16.2.5, which contains the fix for the dynamic route parameter injection issue.
  • After upgrading, verify that middleware protections for dynamic routes continue to enforce authorization by testing with crafted query parameters that would previously bypass checks.
  • If a timely upgrade is not possible, add custom server‑side validation to confirm that the dynamic route value matches the intended resource before rendering protected content, or restrict access to dynamic routes until the issue is resolved.

Generated by OpenCVE AI on May 13, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-492v-c6pp-mqqv Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
History

Thu, 14 May 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Middleware / Proxy bypass through dynamic route parameter injection
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T10:30:11.611Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44574

cve-icon Vulnrichment

Updated: 2026-05-14T10:30:08.565Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T17:16:22.767

Modified: 2026-05-14T12:37:00.523

Link: CVE-2026-44574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses