Next.js App Router Flaw Bypasses Middleware Authorization
The National Vulnerability Database has disclosed CVE-2026-44575, a high-severity vulnerability (CVSS 7.5) affecting Next.js App Router applications. This flaw impacts versions from 15.2.0 to before 15.5.16 and 16.2.5. It allows unauthorized access to protected content by circumventing middleware or proxy-based authorization checks.
The vulnerability stems from how Next.js handles transport-specific route variants used for segment prefetching. Maliciously crafted .rsc and segment-prefetch URLs can resolve to the same page as intended, but crucially, they bypass the expected middleware rules. This means an attacker can reach content that should be protected by authorization, effectively gaining unauthorized access.
This is a critical bypass. It undermines the very controls developers rely on for access management. Defenders using Next.js must prioritize patching to versions 15.5.16 or 16.2.5 immediately. Relying on middleware for security is a common pattern, and this vulnerability demonstrates a fundamental flaw in how Next.js processes these requests, allowing for a complete bypass of intended access restrictions.
What This Means For You
- If your organization uses Next.js App Router with middleware or proxy-based authorization, you are exposed. Check your Next.js versions immediately. Patch to 15.5.16 or 16.2.5. This isn't just a theoretical bypass; it's a direct route to unauthorized access for unpatched systems. Audit your application logs for suspicious access patterns to sensitive App Router endpoints, especially those that leverage prefetching or `.rsc` variants.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44575 - Next.js App Router Unauthorized Access via Segment Prefetch
title: CVE-2026-44575 - Next.js App Router Unauthorized Access via Segment Prefetch
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects requests to Next.js App Router applications that contain '.rsc' or 'segment-prefetch' in the URI. These transport-specific route variants can be exploited to bypass middleware authorization checks, allowing unauthorized access to protected content as described in CVE-2026-44575.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44575/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '.rsc'
- 'segment-prefetch'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44575 | Auth Bypass | Next.js App Router applications versions 15.2.0 to before 15.5.16 |
| CVE-2026-44575 | Auth Bypass | Next.js App Router applications versions 16.2.0 to before 16.2.5 |
| CVE-2026-44575 | Auth Bypass | Next.js App Router applications relying on middleware or proxy-based checks for authorization |
| CVE-2026-44575 | Auth Bypass | Specially crafted .rsc and segment-prefetch URLs |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
vm2 Sandbox Escape (CVE-2026-45411) Poses Critical RCE Risk
CVE-2026-45411 — vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression...
Next.js CVE-2026-45109: Middleware Bypass Via Turbopack
CVE-2026-45109 — Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix...
Next.js Partial Prerendering Vulnerability: DoS via Connection Exhaustion
CVE-2026-44579 — Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache...