Next.js: Middleware / Proxy bypass in Pages Router applications using...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.

Basic Information

ID CVE-2026-44573

Source GitHub_M

Published May 13, 2026 at 16:48

Affected Product

Vendor vercel

Product next.js

Version >= 12.2.0, < 15.5.16

Affected Versions vercel next.js >= 12.2.0, < 15.5.16
vercel next.js >= 16.0.0, < 16.2.5

CWE Classification

CWE-863

References

github.com /vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5

{
    "lastseen": "",
    "description": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.",
    "published": "2026-05-13T16:48:16.218Z",
    "modified": "2026-05-13T16:48:16.218Z",
    "type": "cve",
    "title": "Next.js: Middleware / Proxy bypass in Pages Router applications using i18n",
    "source": "GitHub_M",
    "references": "https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5",
    "id": "CVE-2026-44573",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "vercel next.js >= 12.2.0, < 15.5.16\nvercel next.js >= 16.0.0, < 16.2.5",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "next.js",
    "version": ">= 12.2.0, < 15.5.16",
    "vendor": "vercel",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Next.js: Middleware / Proxy bypass in Pages Router applications using i18n_CVE-2026-44573