Next.js Middleware Bypass (CVE-2026-44574) Exposes Dynamic Routes
The National Vulnerability Database has issued an advisory for CVE-2026-44574, a high-severity authorization bypass vulnerability in Next.js. Affecting versions 15.4.0 to before 15.5.16 and 16.2.5, this flaw allows attackers to circumvent middleware protection on dynamic routes. By crafting specific query parameters, an attacker can alter the route value seen by the page rendering logic, effectively bypassing expected middleware checks while the visible URL remains unchanged.
This vulnerability, scored 8.1 (HIGH) on the CVSS scale, is a critical issue for applications relying on Next.js middleware for access control. The core problem lies in how specially crafted input manipulates the internal routing mechanism, leading to an information disclosure and potential unauthorized access to protected content. The National Vulnerability Database indicates that the vulnerability is fixed in Next.js versions 15.5.16 and 16.2.5.
From an attacker’s perspective, this is gold. It’s a precise bypass that targets the very mechanism meant to enforce authorization. Defenders need to understand that simply having middleware in place isn’t enough; the implementation details, especially around dynamic route parsing, are where the cracks appear. Patching is non-negotiable, but a deeper look into how your Next.js application handles dynamic routing and query parameters is essential to prevent similar logic flaws.
What This Means For You
- If your organization uses Next.js, immediately check your application versions. If you are running affected versions (15.4.0 to before 15.5.16 or 16.2.5), prioritize upgrading to 15.5.16, 16.2.5, or later. Audit your Next.js applications, especially those using middleware to protect dynamic routes, for any signs of unauthorized access or unusual activity.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44574 - Next.js Middleware Bypass via Crafted Query Parameters
title: CVE-2026-44574 - Next.js Middleware Bypass via Crafted Query Parameters
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects attempts to bypass Next.js middleware protection for dynamic routes by exploiting CVE-2026-44574. This rule looks for specially crafted query parameters like '__next_locale' or '__next_theme' that can alter dynamic route values, allowing unauthorized access to protected content. This is a direct indicator of the vulnerability being exploited.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44574/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '?__next_locale='
- '?__next_theme='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44574 | Auth Bypass | Next.js versions 15.4.0 to before 15.5.16 |
| CVE-2026-44574 | Auth Bypass | Next.js versions 16.2.0 to before 16.2.5 |
| CVE-2026-44574 | Auth Bypass | Next.js applications relying on middleware to protect dynamic routes |
| CVE-2026-44574 | Auth Bypass | Specially crafted query parameters altering dynamic route values |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key
CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...
CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info
CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...
Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk
CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...