Cache Poisoning Vulnerability in Next.js Framework by Vercel
CVE-2026-44582

3.7LOW

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44582?

Next.js, a prominent React framework utilized for full-stack web applications, has a vulnerability that affects its response handling through cache mechanisms. Specifically, versions from 13.4.6 up to, but not including, 15.5.16 and 16.2.5 exhibit a flaw that could lead to cache poisoning. This occurs when deployments utilize shared caches without adequate response partitioning, allowing for potential collisions in the _rsc cache-busting value. As a result, an attacker may exploit this vulnerability to manipulate cache entries, causing affected users to receive incorrect response variants for specific URLs. This issue is resolved in the subsequent releases 15.5.16 and 16.2.5.

Affected Version(s)

next.js >= 13.4.6, < 15.5.16 < 13.4.6, 15.5.16

next.js >= 16.0.0, < 16.2.5 < 16.0.0, 16.2.5

References

https://github.com/vercel/next.js/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44582 Data

JSON