Authorization Bypass in Next.js Framework by Vercel
CVE-2026-44574
What is CVE-2026-44574?
CVE-2026-44574 is a vulnerability found in the Next.js framework, developed by Vercel, which is widely used to build full-stack web applications using React. This flaw allows for an authorization bypass primarily affecting applications that utilize middleware to secure dynamic routes. The vulnerability arises when specially designed query parameters can manipulate the value of dynamic routes seen by the application while preserving the visible path, causing the application to render protected content without going through the expected authorization checks. This issue is particularly dangerous as it undermines the security model designed to restrict access to sensitive information or functionality, potentially leading to severe security breaches within affected organizations.
Potential impact of CVE-2026-44574
-
Unauthorized Access to Sensitive Data: Due to the authorization bypass, attackers could gain unauthorized access to protected resources, leading to potential exposure or theft of sensitive data, including user information and proprietary content.
-
Application Integrity and Trust Issues: Organizations may face integrity concerns if protected routes are accessed without proper authorization. This could damage trust with users and clients, resulting in reputation harm and possible financial implications.
-
Increased Attack Surface for Further Exploits: With this vulnerability, systems could become entry points for more sophisticated attacks. Successful exploitation might allow attackers to manipulate applications further, install backdoors, or launch additional attacks, increasing the overall risk profile of the affected environments.
Affected Version(s)
next.js >= 15.4.0, < 15.5.16 < 15.4.0, 15.5.16
next.js >= 16.0.0, < 16.2.5 < 16.0.0, 16.2.5