CVE-2026-44574

HIGH LAB

Next.js: Middleware / Proxy bypass through dynamic route parameter injection

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-44574. PoCs published by dwisiswant0, XZ1r0.

AI-analyzed exploit summary This repository contains functional proof-of-concept exploits for multiple Next.js vulnerabilities, including CVE-2026-44574, which involves a dynamic-route and middleware mismatch. The PoCs are well-documented with detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Description

Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check. This vulnerability is fixed in 15.5.16 and 16.2.5.

Exploits (2)

github WORKING POC 127 stars

by dwisiswant0 · pythonpoc

https://github.com/dwisiswant0/next-16.2.4-pocs

View Code ZIP pw:eip

This repository contains functional proof-of-concept exploits for multiple Next.js vulnerabilities, including CVE-2026-44574, which involves a dynamic-route and middleware mismatch. The PoCs are well-documented with detailed write-ups, vulnerable code excerpts, and runnable exploit scripts.

Classification

Working Poc 95%

Attack Type

Ssrf | Auth Bypass | Xss | Dos

Complexity

Moderate

Reliability

Reliable

Target: Next.js v16.2.4

No auth needed

Prerequisites: Vulnerable Next.js v16.2.4 installation · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services T1078 - Valid Accounts T1059.007 - JavaScript T1189 - Drive-by Compromise T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 13, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/next-16.2.4-pocs/poc/CVE-2026-44574_GHSA-492v-c6pp-mqqv

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-44574, demonstrating a dynamic-route parameter injection bypass in Next.js ≤16.2.4. The exploit leverages internal search parameters (`nxtP*`) and a double-encoding bug to bypass middleware authorization checks, allowing unauthorized access to protected routes.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Next.js ≤16.2.4

No auth needed

Prerequisites: Target running Next.js ≤16.2.4 · Access to a public route on the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 21, 2026 Full analysis →

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv

Scores

CVSS v3 8.1

EPSS 0.0001

EPSS Percentile 1.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

https://github.com/dwisiswant0/next-16.2.4-pocs

https://github.com/XZ1r0/cve-2026-poc-collection

View in Library

Details

CWE

CWE-288

Status published

Products (5)

npm/next 15.4.0 - 15.5.16npm

npm/next 16.0.0 - 16.2.5npm

vercel/next.js 15.4.0 - 15.5.16

vercel/next.js >= 15.4.0, < 15.5.16

vercel/next.js >= 16.0.0, < 16.2.5

Published May 13, 2026

Tracked Since May 13, 2026