CVE-2026-44574
Authorization Bypass vulnerability in next (npm)
What is CVE-2026-44574 About?
This vulnerability in Next.js applications allows for authorization bypass in dynamic routes protected by middleware. Attackers can manipulate query parameters to change the dynamic route value seen by the page, circumventing middleware checks. This exploit is of medium complexity, relying on specially crafted query parameters to alter routing behavior.
Affected Software
- next
- >=15.4.0, <15.5.16
- >=16.0.0, <16.2.5
Technical Details
In Next.js applications, middleware is often used to protect dynamic routes by checking authorization. This vulnerability arises because specially crafted query parameters can interfere with how dynamic route values are interpreted. An attacker can manipulate these parameters to alter the internal dynamic route value that the page component 'sees', while the visible path in the URL remains unchanged. This discrepancy allows the attacker to bypass the authorization logic implemented in the middleware, as the middleware incorrectly validates the external path, failing to account for the manipulated internal route. The fix involves ensuring that internal route-parameter normalization only occurs within trusted routing flows, effectively ignoring external, untrusted parameter encodings.
What is the Impact of CVE-2026-44574?
Successful exploitation may allow attackers to bypass authorization controls, access protected content or resources they should not have access to, and potentially gain elevated privileges or sensitive information.
What is the Exploitability of CVE-2026-44574?
Exploitation of this vulnerability is of medium complexity, requiring the attacker to understand how query parameters interact with Next.js dynamic routing and middleware. No authentication is explicitly required if the middleware is intended to gate unauthenticated access, though authentication may be needed for certain protected routes. Privilege requirements are minimal, generally just the ability to send web requests. This is a remote vulnerability. Special conditions include the use of middleware to protect dynamic routes and the application's reliance on route path matching as the sole authorization enforcement mechanism within the middleware. The risk factor is increased in applications that have complex dynamic routing schemes and strict authorization policies enforced solely at the middleware level.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-44574?
Available Upgrade Options
- next
- >=15.4.0, <15.5.16 → Upgrade to 15.5.16
- next
- >=16.0.0, <16.2.5 → Upgrade to 16.2.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-44574?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-45134 , CVE-2023-46233 , CVE-2023-28108 , CVE-2024-21396
