CVE-2026-45109
HIGHNext.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
Title source: cnaDescription
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6
Scores
CVSS v3
7.5
EPSS
0.0001
EPSS Percentile
3.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-288
Status
published
Products (5)
npm/next
15.2.0 - 15.5.18npm
npm/next
16.0.0 - 16.2.6npm
vercel/next.js
15.2.0 - 15.5.18
vercel/next.js
>= 15.2.0, < 15.5.17
vercel/next.js
>= 16.0.0, < 16.2.6
Published
May 13, 2026
Tracked Since
May 13, 2026