VYPR
High severity7.5GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44573

CVE-2026-44573

Description

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nextnpm
>= 12.2.0, < 15.5.1615.5.16
nextnpm
>= 16.0.0, < 16.2.516.2.5

Affected products

4
  • Vercel/Next.jsGHSA2 versions
    >= 16.0.0, < 16.2.5+ 1 more
    • (no CPE)range: >= 16.0.0, < 16.2.5
    • cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*range: >=12.2.0,<15.5.16
  • osv-coords2 versions
    < 0.51.0-r7+ 1 more
    • (no CPE)range: < 0.51.0-r7
    • (no CPE)range: >= 12.2.0, < 15.5.16

Patches

Vulnerability mechanics

References

5

News mentions

1