CVE-2026-44573
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Next.js is a popular open-source React framework developed by Vercel that enables server-side rendering, static site generation, and full-stack web application development.
A high-severity Broken Access Control vulnerability (CVE-2026-44573) has been identified in Next.js. Pages Router applications that combine i18n configuration with middleware-based or proxy-based authorization can be bypassed by issuing a locale-less /_next/data/<buildId>/<page>.json request. The generated middleware matcher requires an i18n locale segment, so the unprefixed data route fails the matcher, middleware is skipped, and the protected page's server-rendered JSON is returned without ever being subject to the intended authorization checks.
Per OWASP: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
Details
Module Info
- Product: Next.js
- Affected packages: next
- Affected versions: >=12.2.0 <15.5.16, >=16.0.0 <16.2.5
- GitHub repository: https://github.com/vercel/next.js
- Published packages: https://www.npmjs.com/package/next
- Package manager: npm
- Fixed in:
- OSS v15.5.16, v16.2.5
- NES for Next.js v12.3.14
Vulnerability Info
This high-severity vulnerability is found in Next.js versions >=12.2.0 and <15.5.16, as well as versions >=16.0.0 and <16.2.5.
When i18n is configured, Next.js prepends a required :nextInternalLocale segment to every middleware matcher regex. A request for /_next/data/<buildId>/<page>.json that does not include a locale segment fails the matcher, so middleware is skipped entirely. The _next/data catchall route then assigns the default locale and serves the page's getServerSideProps output, completely bypassing the middleware that was intended to gate the request.
This vulnerability could be exploited by:
- sending a GET /_next/data/<buildId>/<page>.json request without a locale prefix to retrieve SSR JSON for a page protected by middleware-based authorization
- enumerating or guessing the application's <buildId> value (publicly visible in any rendered page's __NEXT_DATA__ payload) to construct the locale-less data URL
- substituting the locale-less data route for the page route in any flow that relies on middleware for auth, role enforcement, or proxy authorization
Mitigation
Next.js versions prior to 15.5.x are End-of-Life and will not receive any updates to address this issue. For more information see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade affected applications to a fixed version of Next.js.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
