CVE-2026-44573: Next.js: Middleware / Proxy bypass in Pages Router applications using i18n
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.
Security readout for executives and security teams
Plain-English summary
This flaw can let unauthenticated users read protected server-rendered page data in certain Next.js applications. It affects apps using the Pages Router, i18n, and middleware or proxy-based authorization. The issue is confidentiality-focused: attackers may retrieve JSON data for protected pages without normal authorization checks.
Executive priority
Prioritize remediation for customer portals, admin panels, and applications exposing sensitive SSR page data. The business risk is unauthorized data disclosure, not system takeover, but affected public applications should be upgraded promptly.
Technical view
Next.js versions 12.2.0 before 15.5.16 and 16.0.0 before 16.2.5 are affected in specific configurations. Locale-less /_next/data/<buildId>/<page>.json requests may bypass middleware for Pages Router apps with i18n, exposing SSR JSON for protected pages. CVSS is 7.5, with high confidentiality impact.
Likely exposure
Exposure is limited to Next.js applications using Pages Router, configured i18n, and middleware/proxy-based authorization for protected pages. API-only apps or apps not matching this pattern may not be affected based on the provided advisory.
Exploitation context
The advisory describes unauthenticated network access with low complexity and no user interaction. The provided sources do not state active exploitation, and the CVE is not marked KEV in the supplied data.
Researcher notes
Key condition is the intersection of Pages Router, i18n, and middleware/proxy authorization. Validate configuration before declaring exposure. Red Hat references indicate downstream tracking and advisories, but the primary technical details and fixed versions come from the Next.js advisory data.
Mitigation direction
Upgrade affected Next.js 15.x applications to 15.5.16 or later.
Upgrade affected Next.js 16.x applications to 16.2.5 or later.
For other deployment contexts, check Vercel and platform vendor guidance.
Confirm authorization for sensitive data is not dependent only on bypassable middleware paths.
Validation and detection
Inventory Next.js versions across internet-facing and internal applications.
Identify apps using Pages Router with i18n enabled.
Check whether protected pages rely on middleware or proxy authorization.
Confirm deployed versions are at or above fixed releases.
Review access logs for unexpected locale-less Next.js data route requests.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-551: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
CWE-863: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-551 · source CWE mapping
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Incorrect Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.