Description
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.
Published: 2026-05-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Next.js versions 14.2.0 up to before 15.5.16 and 16.2.5 allows an attacker to poison a shared cache that stores React Server Component (RSC) payloads. When a shared cache does not correctly separate cache variants, the attacker can cause a response originally intended for an HTML consumer to be served to subsequent visitors instead, exposing component data that was not meant for that audience. The impact is potential information disclosure to unintended users as the cached payload can contain sensitive component state.

Affected Systems

Next.js applications running on vercel:next.js with framework versions between 14.2.0 and 15.5.15 inclusive, as well as between 16.0.0 and 16.2.4 inclusive, are vulnerable. Versions 15.5.16 and later, and 16.2.5 and later have the issue addressed and are no longer affected.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. The EPSS score is <1%, indicating a very low but non‑zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but shared caches are common in modern web deployments, so the attack surface is non‑trivial. Based on the description, the likely attack vector is HTTP requests targeting the RSC endpoints in a shared caching environment where the response is not correctly isolated. An attacker could thus manipulate the cache entry, causing subsequent legitimate users to receive incorrect component payloads.

Generated by OpenCVE AI on May 28, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Next.js to version 15.5.16 or newer, or to 16.2.5 or newer, to apply the vendor‑fixed cache partitioning logic.
  • If upgrading immediately is not feasible, configure shared caches to avoid caching RSC responses or enforce proper cache key isolation so that responses are not served across different consumer contexts.
  • Deploy a monitoring rule that alerts on cache hits for RSC endpoints with unexpected request patterns, helping to detect cache poisoning attempts.

Generated by OpenCVE AI on May 28, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wfc6-r584-vfw7 Next.js vulnerable to cache poisoning in React Server Component responses
History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-444
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 18 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.
Title Next.js: Cache poisoning in React Server Component responses
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T13:45:59.133Z

Reserved: 2026-05-06T21:49:12.424Z

Link: CVE-2026-44576

cve-icon Vulnrichment

Updated: 2026-05-18T13:45:30.744Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T17:16:23.040

Modified: 2026-05-14T13:44:18.270

Link: CVE-2026-44576

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T16:57:10Z

Links: CVE-2026-44576 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T15:30:05Z

Weaknesses