Next.js Internationalization Middleware Vulnerability in next-intl
CVE-2026-40299

6.9MEDIUM

Key Information:

Vendor

Amannn

Status
Next-intl
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40299?

The next-intl middleware for Next.js prior to version 4.9.1 has a vulnerability that allows for unsafe URL redirection. By manipulating the localePrefix: 'as-needed', attackers can construct URLs that redirect users from a trusted application to a potentially malicious site. This issue arises due to the mishandling of relative redirect targets by the WHATWG URL parser, potentially compromising user security. The vulnerability has been addressed in version 4.9.1 and users are strongly encouraged to update their installations to mitigate the risk.

Affected Version(s)

next-intl < 4.9.1

References

https://github.com/amannn/next-intl/security/advisories/G...
x_refsource_CONFIRM
https://github.com/amannn/next-intl/pull/2304
x_refsource_MISC
https://github.com/amannn/next-intl/commit/1c80b668aa6d85...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.