CVE-2026-44573

HIGH LAB

Next.js: Middleware / Proxy bypass in Pages Router applications using i18n

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44573. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple Next.js vulnerabilities, including CVE-2026-44573, which involves a Pages Router i18n data-route bypass. The PoCs include detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Description

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/next-16.2.4-pocs

View Code ZIP pw:eip

This repository contains functional proof-of-concept exploits for multiple Next.js vulnerabilities, including CVE-2026-44573, which involves a Pages Router i18n data-route bypass. The PoCs include detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Next.js v16.2.4

No auth needed

Prerequisites: Vulnerable Next.js application running v16.2.4

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 13, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44573_GHSA-36qx-fr4f-26g5

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-44573, which bypasses middleware authentication in Next.js Pages Router applications with i18n configuration by exploiting a gap in the middleware matcher regex for locale-prefixed data URLs.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Next.js <= 16.2.4

No auth needed

Prerequisites: Next.js application with Pages Router and i18n configuration · Access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 16.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

https://github.com/dwisiswant0/next-16.2.4-pocs

https://github.com/XZ1r0/cve-2026-poc-collection

View in Library

Details

CWE

CWE-863

Status published

Products (5)

npm/next 12.2.0 - 15.5.16npm

npm/next 16.0.0 - 16.2.5npm

vercel/next.js 12.2.0 - 15.5.16

vercel/next.js >= 12.2.0, < 15.5.16

vercel/next.js >= 16.0.0, < 16.2.5

Published May 13, 2026

Tracked Since May 13, 2026