Description
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Next.js middleware handling when using Turbopack allows an attacker to bypass the intended request preprocessing logic. This can enable the execution of requests that should normally be blocked by authentication or proxy rules, leading to unauthorized data exposure or manipulation within the application. The weakness is classified as Authentication Bypass (CWE‑288, CWE‑358).

Affected Systems

Vulnerable versions are Next.js releases from 15.2.0 through 15.5.17 inclusive, and from 16.2.0 through 16.2.5 inclusive. The fix is applied in release 15.5.18 and 16.2.6. Applications built with these versions and configured to use Turbopack in middleware.ts are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, suggesting a high impact if exploited. The EPSS score is 0.00014 (< 1%), indicating a very low probability of exploitation in the wild. The absence of a KEV listing confirms that there are no publicly known exploits. Despite the low EPSS, the moderate–high severity and the identified authentication bypass (CWE‑288, CWE‑358) recommend a precautionary stance. Attackers would target segment-prefetch routes in App Router applications, and the likely vector is HTTP requests that trigger middleware processing. No special conditions or privilege are required beyond normal web traffic to exploit the bypass.

Generated by OpenCVE AI on June 3, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest secured releases of Next.js (15.5.18 or 16.2.6 and later) to apply the middleware bug fix.
  • Ensure that your application’s middleware.ts files no longer rely on Turbopack when processing segment-prefetch routes; replace with the updated logic shipped with the patched release or isolate the request path.
  • As a temporary measure, restrict access to the segment-prefetch routes by adding explicit authentication checks or disabling these routes until the patch is applied.

Generated by OpenCVE AI on June 3, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-26hh-7cqf-hhc6 Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
History

Wed, 03 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-358
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Vercel
Vercel next.js
Vendors & Products Vercel
Vercel next.js

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
Title Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Vercel Next.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T18:39:29.674Z

Reserved: 2026-05-08T19:27:26.699Z

Link: CVE-2026-45109

cve-icon Vulnrichment

Updated: 2026-05-13T18:39:25.285Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T18:16:19.283

Modified: 2026-05-14T14:14:06.463

Link: CVE-2026-45109

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-13T17:11:07Z

Links: CVE-2026-45109 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:00:07Z

Weaknesses