GHSA-26hh-7cqf-hhc6
Authorization Bypass vulnerability in next (npm)
What is GHSA-26hh-7cqf-hhc6 About?
This vulnerability is an authorization bypass that affects Next.js applications using `middleware.ts` with Turbopack, mirroring the issues described in CVE-2026-44575. The previous fix for CVE-2026-44575 did not extend to this specific configuration, leaving it susceptible to similar bypass techniques. Exploitation involves circumventing middleware logic designed to protect routes, making it a tricky vulnerability to manage.
Affected Software
- next
- >=15.2.0, <15.5.18
- >=16.0.0, <16.2.6
Technical Details
This vulnerability is a direct manifestation of a previously addressed issue (CVE-2026-44575) that was not fully patched for all configurations. Specifically, the fix implemented for CVE-2026-44575 failed to apply to Next.js applications when middleware.ts is used in conjunction with Turbopack. This means that the same authorization bypass mechanisms identified in the original vulnerability can still be exploited. The vulnerability allows attackers to bypass security middleware, potentially gaining unauthorized access to routes or resources that should be protected by the middleware logic.
What is the Impact of GHSA-26hh-7cqf-hhc6?
Successful exploitation may allow attackers to bypass authorization controls, access protected content or resources they should not have access to, and potentially gain elevated privileges or sensitive information.
What is the Exploitability of GHSA-26hh-7cqf-hhc6?
Exploitation of this vulnerability is likely of medium complexity, given its similarity to CVE-2026-44575, which involves crafting URIs or parameters to circumvent middleware logic. No authentication is explicitly required if the middleware is bypassed before authentication occurs, otherwise, authenticated attackers might exploit it for privilege escalation. Privilege requirements are tied to the access granted upon successful bypass. This is a remote vulnerability. Special conditions include the specific deployment environment: Next.js applications using middleware.ts AND Turbopack. The risk factor is increased for applications that migrated or updated without realizing the patch for CVE-2026-44575 did not cover their specific setup.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-26hh-7cqf-hhc6?
Available Upgrade Options
- next
- >=15.2.0, <15.5.18 → Upgrade to 15.5.18
- next
- >=16.0.0, <16.2.6 → Upgrade to 16.2.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/next.js
- https://github.com/vercel/next.js/releases/tag/v16.2.6
- https://github.com/vercel/next.js/releases/tag/v15.5.18
- https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6
- https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f
- https://osv.dev/vulnerability/GHSA-26hh-7cqf-hhc6
What are Similar Vulnerabilities to GHSA-26hh-7cqf-hhc6?
Similar Vulnerabilities: CVE-2026-44575 , CVE-2026-44574 , CVE-2023-45133 , CVE-2023-45134 , CVE-2023-46233
