Cache Poisoning Vulnerability in Next.js Framework by Vercel
CVE-2026-44576

5.4MEDIUM

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44576?

Next.js, a robust React framework for building full-stack web applications, is susceptible to a cache poisoning vulnerability. This issue arises in applications utilizing React Server Components, specifically in versions from 14.2.0 to prior to 15.5.16 and 16.2.5. When shared caches are inadequately partitioned, an attacker may exploit this weakness to serve compromised RSC responses from the original URL, leading to the poisoning of shared cache entries. Consequently, subsequent visitors may receive unintended component payloads instead of the intended HTML. This vulnerability has been addressed in versions 15.5.16 and 16.2.5.

Affected Version(s)

next.js >= 14.2.0, < 15.5.16 < 14.2.0, 15.5.16

next.js >= 16.0.0, < 16.2.5 < 16.0.0, 16.2.5

References

https://github.com/vercel/next.js/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44576 Data

JSON