VYPR
High severity8.1GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44574

CVE-2026-44574

Description

Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nextnpm
>= 15.4.0, < 15.5.1615.5.16
nextnpm
>= 16.0.0, < 16.2.516.2.5

Affected products

4
  • Vercel/Next.jsGHSA2 versions
    >= 16.0.0, < 16.2.5+ 1 more
    • (no CPE)range: >= 16.0.0, < 16.2.5
    • cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*range: >=15.4.0,<15.5.16
  • osv-coords2 versions
    < 0.51.0-r7+ 1 more
    • (no CPE)range: < 0.51.0-r7
    • (no CPE)range: >= 15.4.0, < 15.5.16

Patches

Vulnerability mechanics

References

5

News mentions

1