Next.js Partial Prerendering Vulnerability: DoS via Connection Exhaustion
The National Vulnerability Database has disclosed CVE-2026-44579, a high-severity vulnerability (CVSS 7.5) affecting Next.js applications utilizing Partial Prerendering through the Cache Components feature. This flaw, categorized as CWE-770 (Improper Restriction of Resource Consumption), allows attackers to trigger a denial-of-service condition.
Specifically, a maliciously crafted POST request to a server action can induce a request-body handling deadlock. This leaves connections open for an extended period, rapidly consuming file descriptors and server capacity. The practical impact is a denial of service, preventing legitimate users from accessing the application.
Next.js versions before 15.5.16 and 16.2.5 are affected. Defenders must prioritize patching to these versions, as the attack requires no authentication and can be executed remotely. This is a critical resource exhaustion vector that attackers will undoubtedly leverage to disrupt services.
What This Means For You
- If your organization deploys Next.js applications, immediately verify if they use Partial Prerendering with Cache Components. If so, prioritize patching to Next.js 15.5.16 or 16.2.5 to mitigate CVE-2026-44579. This is not a theoretical risk; it's a direct path to application downtime.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44579 - Next.js Partial Prerendering DoS via Crafted POST
title: CVE-2026-44579 - Next.js Partial Prerendering DoS via Crafted POST
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects crafted POST requests to the Next.js server action endpoint ('/_next/view-server-action') which can trigger a connection exhaustion deadlock in affected versions of Next.js (prior to 15.5.16 and 16.2.5) when using Partial Prerendering with Cache Components. This can lead to a Denial of Service by exhausting server resources.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44579/
tags:
- attack.impact
- attack.t1499
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
cs-uri:
- '/_next/view-server-action'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44579 | DoS | Next.js versions before 15.5.16 |
| CVE-2026-44579 | DoS | Next.js versions before 16.2.5 |
| CVE-2026-44579 | DoS | Next.js applications using Partial Prerendering through the Cache Components feature |
| CVE-2026-44579 | DoS | Crafted POST requests to a server action leading to connection exhaustion |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-05-13
41 vulnerability disclosures (10 Critical, 31 High) and 10 curated intelligence stories from 6 sources.
CVE-2026-8496 — Cross-Site Scripting (XSS)
CVE-2026-8496 — A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within...
Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits
CVE-2026-42587 — Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size...