216.73.217.176

CVE-2026-44575

· Published 13/05/2026 17:16 · Modified 14/05/2026 12:38

Labels: CVE-2026-44575 2026-05-13CVE-2026-44575CWE-288[email protected]

Essential information

Published
13/05/2026 17:16
Modified
14/05/2026 12:38
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.

NVD status

Status
Analyzed — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
vercel / next.js cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel / next.js cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

References