LiveActive security incident?Get immediate response
CVE Record

CVE-2026-44573: Next.js: Middleware / Proxy bypass in Pages Router applications using i18n

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This flaw can let unauthenticated users read protected server-rendered page data in certain Next.js applications. It affects apps using the Pages Router, i18n, and middleware or proxy-based authorization. The issue is confidentiality-focused: attackers may retrieve JSON data for protected pages without normal authorization checks.

Executive priority

Prioritize remediation for customer portals, admin panels, and applications exposing sensitive SSR page data. The business risk is unauthorized data disclosure, not system takeover, but affected public applications should be upgraded promptly.

Technical view

Next.js versions 12.2.0 before 15.5.16 and 16.0.0 before 16.2.5 are affected in specific configurations. Locale-less /_next/data/<buildId>/<page>.json requests may bypass middleware for Pages Router apps with i18n, exposing SSR JSON for protected pages. CVSS is 7.5, with high confidentiality impact.

Likely exposure

Exposure is limited to Next.js applications using Pages Router, configured i18n, and middleware/proxy-based authorization for protected pages. API-only apps or apps not matching this pattern may not be affected based on the provided advisory.

Exploitation context

The advisory describes unauthenticated network access with low complexity and no user interaction. The provided sources do not state active exploitation, and the CVE is not marked KEV in the supplied data.

Researcher notes

Key condition is the intersection of Pages Router, i18n, and middleware/proxy authorization. Validate configuration before declaring exposure. Red Hat references indicate downstream tracking and advisories, but the primary technical details and fixed versions come from the Next.js advisory data.

Mitigation direction

  • Upgrade affected Next.js 15.x applications to 15.5.16 or later.
  • Upgrade affected Next.js 16.x applications to 16.2.5 or later.
  • For other deployment contexts, check Vercel and platform vendor guidance.
  • Confirm authorization for sensitive data is not dependent only on bypassable middleware paths.

Validation and detection

  • Inventory Next.js versions across internet-facing and internal applications.
  • Identify apps using Pages Router with i18n enabled.
  • Check whether protected pages rely on middleware or proxy authorization.
  • Confirm deployed versions are at or above fixed releases.
  • Review access logs for unexpected locale-less Next.js data route requests.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-551: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · medium confidence lookup

CWE-863: Authorization and privilege behavior lookup

Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-44573 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N3.93.6GitHub_M
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N3.93.6redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2026-44573Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPnext.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
other:Red Hat severity ratingcvssV3_1
  • 2026-05-13T18:01:50.343Z: Reported to Red Hat.
  • 2026-05-13T16:48:16.218Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
vercelnext.js>= 12.2.0, < 15.5.16, >= 16.0.0, < 16.2.5Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-551 · source CWE mapping

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-863 · source CWE mapping

Incorrect Authorization

Incorrect Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.