Next.js CVE-2026-45109: Middleware Bypass Via Turbopack
The National Vulnerability Database (NVD) has documented CVE-2026-45109, a high-severity vulnerability (CVSS 7.5) affecting Next.js, a popular React framework. This flaw, categorized as CWE-288 (Authentication Bypass Using an Alternate Path or Channel), allows for a bypass of security controls in middleware.ts when using Turbopack. Specifically, a prior fix for CVE-2026-44575 did not extend to this configuration, leaving a critical gap.
This bypass means that defensive logic intended to secure routes or validate requests within Next.js middleware can be circumvented by an attacker. For organizations leveraging Next.js with Turbopack, this presents a significant risk, as it could lead to unauthorized access to protected resources or functions that the middleware was designed to gate. The NVD states that affected versions range from 15.2.0 to before 15.5.18 and before 16.2.6.
To mitigate this, the NVD confirms that the vulnerability is addressed in Next.js versions 15.5.18 and 16.2.6. Defenders must prioritize upgrading their Next.js applications to these patched versions immediately. Failing to do so leaves a wide-open door for attackers to bypass critical application-level security controls, potentially leading to data exposure or unauthorized actions.
What This Means For You
- If your organization uses Next.js with `middleware.ts` and Turbopack, you are directly exposed. Immediately identify your Next.js version. If it's between 15.2.0 and before 15.5.18, or before 16.2.6, you must upgrade to 15.5.18 or 16.2.6 without delay. Audit your middleware logic to understand what protections could be bypassed.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-45109: Next.js Middleware Bypass via Turbopack
title: CVE-2026-45109: Next.js Middleware Bypass via Turbopack
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
This rule detects attempts to access or exploit the middleware.ts file directly in Next.js applications, which is indicative of the vulnerability described in CVE-2026-45109. The vulnerability allows bypassing middleware protections when Turbopack is used, potentially leading to unauthorized access or execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45109/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/middleware.ts'
cs-method|exact:
- 'GET'
sc-status|exact:
- '200'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45109 | Auth Bypass | Next.js versions 15.2.0 to before 15.5.18 |
| CVE-2026-45109 | Auth Bypass | Next.js versions 16.2.0 to before 16.2.6 |
| CVE-2026-45109 | Auth Bypass | Next.js vulnerable component: middleware.ts with Turbopack |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Daily Security Digest — 2026-05-13
41 vulnerability disclosures (10 Critical, 31 High) and 10 curated intelligence stories from 6 sources.
CVE-2026-8496 — Cross-Site Scripting (XSS)
CVE-2026-8496 — A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within...
Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits
CVE-2026-42587 — Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size...