CVE-2026-44575
Bypass Vulnerability vulnerability in next (npm)

Bypass Vulnerability No known exploit

What is CVE-2026-44575 About?

This vulnerability in App Router applications allows unauthorized access to protected content by bypassing middleware or proxy-based authorization checks. Specially crafted `.rsc` and segment-prefetch URLs can resolve to the same page without being matched by middleware. This is a moderately easy vulnerability to exploit, requiring manipulation of URL paths.

Affected Software

  • next
    • >=16.0.0, <16.2.5
    • >=15.2.0, <15.5.16

Technical Details

App Router applications using middleware or proxy-based authorization checks are vulnerable to unauthorized access. The issue arises because transport-specific route variants used for segment prefetching (e.g., .rsc and segment-prefetch URLs) can resolve to the same page as normal URLs but are not consistently matched by the intended middleware rules. An attacker can craft a request using these specific URL variants to directly access protected content, effectively bypassing the authorization checks implemented at the middleware layer. This allows unauthorized retrieval of data or execution of actions that should have been restricted.

What is the Impact of CVE-2026-44575?

Successful exploitation may allow attackers to bypass authorization controls, gaining unauthorized access to protected content or functionalities that should be restricted by middleware or proxy-based checks.

What is the Exploitability of CVE-2026-44575?

Exploitation requires an attacker to craft a specially designed URL that utilizes .rsc or segment-prefetch variants to access a protected page. The application must rely on middleware or proxy-based checks for authorization, and these checks must not correctly account for App Router transport variants. No authentication is needed if the middleware aims to protect unauthenticated access, but specific authentication might be bypassed if the middleware validates authenticated users. This is a remote attack. The primary risk factor is the incomplete application of middleware rules across all valid route variants.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-44575?

Available Upgrade Options

  • next
    • >=15.2.0, <15.5.16 → Upgrade to 15.5.16
  • next
    • >=16.0.0, <16.2.5 → Upgrade to 16.2.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-44575?

Similar Vulnerabilities: CVE-2023-38500 , CVE-2022-42969 , CVE-2021-41221 , CVE-2020-28470 , CVE-2019-13045

All Rights reserved 2025
Privacy Policy