Denial of Service Vulnerability in Next.js Framework by Vercel
CVE-2026-44572

3.7LOW

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44572?

The Next.js framework, utilized for building full-stack web applications, is susceptible to a Denial of Service vulnerability. An attacker could exploit this flaw by sending a specially crafted header in requests to routes handled by middleware that return redirects. This manipulation could cause the framework to replace typical redirect instructions with an internal header that browsers do not recognize, consequently leading to cached responses that do not function as intended. When these erroneous redirects are stored by a CDN or a reverse proxy, they could disrupt service for subsequent users, rendering the affected path inoperable until the cache is emptied. This issue has been resolved in Subsequent versions 15.5.16 and 16.2.5.

Affected Version(s)

next.js >= 12.2.0, < 15.5.16 < 12.2.0, 15.5.16

next.js >= 16.0.0, < 16.2.5 < 16.0.0, 16.2.5

References

https://github.com/vercel/next.js/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44572 Data

JSON