A high-severity authentication bypass vulnerability has slipped through the cracks of a previously issued security fix in Next.js, exposing thousands of applications to unauthorized access this time, through a configuration that the original patch never covered.
Vercel’s Next.js security team published advisory GHSA-26hh-7cqf-hhc6 on May 8, 2026, disclosing that the fix for CVE-2026-44575, a middleware bypass vulnerability via segment-prefetch routes, failed to protect applications running middleware.ts with Turbopack.
The new flaw, tracked as CVE-2026-45109 with a CVSS v3.1 score of 7.5 (High), follows CWE-288: Authentication Bypass Using an Alternate Path or Channel. It is the latest in a sweeping batch of twelve vulnerabilities disclosed across Next.js and React Server Components on May 6–8, 2026.
Next.js CVE-2026-45109: Authentication Bypass Vulnerability
CVE-2026-45109 is a direct follow-up to CVE-2026-44575, a flaw in Next.js App Router applications that allowed attackers to bypass middleware and proxy-based authorization checks by crafting malicious .rsc and segment-prefetch URLs.
When those specially crafted URLs resolve to the same page content, they do so without triggering the intended middleware rule, thereby allowing unauthenticated requests to access protected content.
The original patch for CVE-2026-44575 fixed the bypass for most configurations, but it critically omitted one scenario: applications using middleware.ts combined with Turbopack, Next.js’s next-generation Rust-based build toolchain.
The incomplete fix left those applications with the same attack surface as before, granting remote attackers a network-accessible, low-complexity path to bypass authentication with no privileges or user interaction required. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N confirms the confidentiality impact is rated High.
Affected Versions
The vulnerability affects two major release lines of the next npm package:
| Next.js Version Range | Patched Version |
|---|---|
| >= 15.2.0 and < 15.5.18 | 15.5.18 |
| >= 16.0.0 and < 16.2.6 | 16.2.6 |
Notably, Next.js 13.x and 14.x users will not receive patches for this or several related CVEs. Vercel has formally advised those teams to migrate to the 15.x or 16.x line to receive security coverage.
CVE-2026-45109 is not an isolated incident – it was disclosed alongside eleven other Next.js vulnerabilities and one React Server Components flaw in what constitutes one of the largest coordinated security releases in the framework’s history.
Among the most critical co-disclosed flaws are:
- CVE-2026-44575 (CVSS 7.5) – Original App Router segment-prefetch bypass via crafted
.rscURLs, affecting versions >= 15.2.0 - CVE-2026-44574 (CVSS 8.1) – Middleware bypass via dynamic route parameter injection, where a crafted query string alters the route value seen by the page
- CVE-2026-44578 (CVSS 8.6) – SSRF in applications using WebSocket upgrades, allowing attackers to proxy requests to internal services or cloud metadata endpoints
- CVE-2026-44579 (CVSS 7.5) – Connection exhaustion DoS via crafted POST requests to server actions using Cache Components
The broader advisory landscape reveals that middleware and proxy authorization in Next.js have been a persistent weak point. As recently as March 2025, a separate critical vulnerability (CVE-2025-29927, CVSS 9.1) allowed attackers to bypass all middleware execution via a single manipulated HTTP header.
The attack mechanism is elegantly simple. Next.js App Router supports segment prefetching, a performance optimization that lets the browser prefetch route data for faster navigation. These prefetch requests use transport-specific URL variants, notably .rsc suffixes and _rsc query parameters that Next.js handles through separate internal routing logic.
In vulnerable configurations, the middleware matcher that enforces authorization checks does not account for these prefetch URL variants.
A remote attacker sends a crafted prefetch-style request directly to a protected route; the server resolves the request to the correct page but skips middleware evaluation, delivering protected content without authentication.
With Turbopack enabled in middleware.ts configurations, the patch for CVE-2026-44575 never ran, leaving those applications silently vulnerable even after upgrading to an ostensibly “fixed” version.
Mitigation
Security teams should take the following actions immediately:
- Upgrade Next.js to version 15.5.18 or 16.2.6 via
npm install next@latestoryarn upgrade next - Netlify users running Pages Router with i18n and Middleware must also upgrade the OpenNext Netlify adapter to v5.15.11 and redeploy
- Review all active deploy previews and branch deploys; these remain on older code and may stay vulnerable until deleted
- Audit middleware matchers to explicitly include RSC transport variants (
.rscand?_rsc=) in any route protection logic as a defense-in-depth measure - Do not rely solely on middleware for authorization in production. Apply server-side authorization checks within individual route handlers and Server Components as a secondary layer.
FAQ
Q1: What is CVE-2026-45109?
CVE-2026-45109 is a High-severity (CVSS 7.5) authentication bypass vulnerability in Next.js App Router caused by an incomplete fix that failed to cover middleware.ts configurations running with Turbopack, allowing unauthenticated access to protected routes via crafted segment-prefetch URLs.
Q2: Which Next.js versions are affected by GHSA-26hh-7cqf-hhc6?
All Next.js versions from 15.2.0 through 15.5.17 and 16.0.0 through 16.2.5 are vulnerable; the patched releases are 15.5.18 and 16.2.6.
Q3: Why did the original CVE-2026-44575 patch fail to protect some users?
The fix for CVE-2026-44575 updated middleware matchers for standard configurations but did not apply the same logic to middleware.ts when bundled with Turbopack, leaving that specific execution path unguarded against the same prefetch-route bypass technique.
Q4: What should developers do if they cannot immediately upgrade Next.js?
As a temporary mitigation, developers should implement server-side authorization checks directly inside route handlers and React Server Components rather than relying exclusively on middleware, and block or validate any incoming .rsc or ?_rsc= prefetch requests at the proxy or CDN layer.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
