Next.js Vulnerability Exposes Protected Data via Pages Router

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-863
Next.js Vulnerability Exposes Protected Data via Pages Router

The National Vulnerability Database has detailed CVE-2026-44573, a high-severity vulnerability (CVSS 7.5) affecting Next.js applications using the Pages Router. Specifically, versions from 12.2.0 up to, but not including, 15.5.16 and 16.2.5 are vulnerable when configured with i18n and middleware/proxy-based authorization. This flaw allows unauthorized access to protected page data.

The core issue, as described by the National Vulnerability Database, lies in how Next.js handles locale-less /_next/data/<buildId>/<page>.json requests. Under these specific conditions, the middleware responsible for authorization checks simply doesn’t execute for the unprefixed data route. This bypass allows an attacker to fetch server-side rendered (SSR) JSON data for pages that should otherwise be protected by the intended authorization mechanisms.

This is a critical bypass. Attackers can directly retrieve sensitive information that organizations believed was secured behind authentication. The National Vulnerability Database confirms that the vulnerability is fixed in Next.js versions 15.5.16 and 16.2.5. Organizations running affected versions must prioritize upgrading immediately to close this authorization gap.

What This Means For You

  • If your organization uses Next.js with the Pages Router, i18n, and middleware-based authorization, you are exposed. Check your Next.js version immediately. Upgrade to 15.5.16 or 16.2.5 (or newer) to patch CVE-2026-44573. Failure to do so means an attacker can bypass your authorization to access sensitive SSR data.

Indicators of Compromise

IDTypeIndicator
CVE-2026-44573 Auth Bypass Next.js versions 12.2.0 to before 15.5.16 and 16.2.5
CVE-2026-44573 Auth Bypass Next.js Pages Router with i18n configured and middleware/proxy-based authorization
CVE-2026-44573 Auth Bypass Unauthorized access to protected page data via locale-less /_next/data//.json requests

Written by SCW Vulnerability Desk

🔎
Next.js Vulnerability Details Use /brief for a summary of high-impact vulnerabilities and their defensive implications.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-05-13

41 vulnerability disclosures (10 Critical, 31 High) and 10 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEcriticalhigh-severitycwe-328cwe-648remote-code-executioncwe-502cwe-88
/SCW Daily Digest /CRITICAL

CVE-2026-8496 — Cross-Site Scripting (XSS)

CVE-2026-8496 — A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within...

vulnerabilityCVEmedium-severitycross-site-scripting-xss
/SCW Vulnerability Desk /MEDIUM /6.1 /⚑ 1 IOC /⚙ 3 Sigma

Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits

CVE-2026-42587 — Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-400
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 4 Sigma