High severity7.5GHSA Advisory· Published May 13, 2026· Updated May 14, 2026
CVE-2026-44573
CVE-2026-44573
Description
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nextnpm | >= 12.2.0, < 15.5.16 | 15.5.16 |
nextnpm | >= 16.0.0, < 16.2.5 | 16.2.5 |
Affected products
4- osv-coords2 versions
< 0.51.0-r7+ 1 more
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: >= 12.2.0, < 15.5.16
Patches
Vulnerability mechanics
References
5News mentions
1- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026