Description
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is caused by the way Next.js App Router handles transport‑specific segment‑prefetch URLs. A specially crafted ".rsc" or segment‑prefetch URL can resolve to the same page as a normal request while never matching the intended middleware rule, thereby preventing the middleware or proxy from executing its authorization check. An attacker who can supply such URLs can reach protected content without authenticating, effectively bypassing application‑level access controls.

Affected Systems

The vulnerability affects Next.js applications built with the App Router that employ middleware or proxy checks for authorization. It is present in Next.js releases from version 15.2.0 up to, but not including, 15.5.16, and in the 16.2.5 series only to the point before the fix. The issue is specific to the "vercel:next.js" framework.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating a high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV. The exploit path is straightforward: an attacker simply supplies a crafted segment‑prefetch URL from a client or browser. Successful exploitation does not require authentication or privileged access. Given the simplicity of constructing such URLs, the risk to exposed applications that have not patched is significant.

Generated by OpenCVE AI on May 13, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Next.js 15.5.16 or later, or to Next.js 16.2.5 or later, to apply the vendor‑proposed fix.
  • After upgrading, verify that protected routes still require the expected middleware or proxy checks by attempting to access them with segment‑prefetch URLs.
  • If immediate upgrade is not possible, add an additional origin‑check or strict path validation to all middleware rules to reject segment‑prefetch routes that do not belong to the normal request flow.

Generated by OpenCVE AI on May 13, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-267c-6grr-h53f Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
History

Thu, 14 May 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T17:50:24.865Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44575

cve-icon Vulnrichment

Updated: 2026-05-13T17:50:20.144Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T17:16:22.907

Modified: 2026-05-14T12:38:11.500

Link: CVE-2026-44575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses