next Next.js May 2026 Coordinated Security Release (13 advisories)
- Published
- May 6, 2026
- Last updated
- May 9, 2026
- Status
- Active
- GHSA
- next-2026-05-release
Summary
On May 6, 2026 the Next.js team released a coordinated set of 13 security advisories spanning middleware/proxy bypass, SSRF, cache poisoning, XSS, and DoS. A single upgrade to Next.js 15.5.16 / 16.2.5 resolves all of them.
Is your project affected?
Enter the next version installed in your project to instantly check whether it is affected.
ⓘ Enter the next version to instantly check.
Affected versions
| Affected range | Patched |
|---|---|
| >=16.0.0 <16.2.5 | 15.5.16 |
| >=15.0.0 <15.5.16 | 16.2.5 |
What this page is
This advisory is a hub for the 13 coordinated advisories the Next.js team published on May 6, 2026. All 13 are resolved by a single upgrade to Next.js 15.5.16 / 16.2.5. Use the diagnosis above to instantly check whether your installed version falls in the affected range.
For advisories where ConfigDeck operates a dedicated page, the table includes a link to the deep-dive. For the rest, follow the GitHub Advisory link directly.
Per-category breakdown (13 advisories)
Middleware / proxy bypass (5)
| GHSA | Title | Severity |
|---|---|---|
| GHSA-267c-6grr-h53f | Auth bypass via App Router segment-prefetch URL | High — details |
| GHSA-26hh-7cqf-hhc6 | App Router segment-prefetch bypass (incomplete-fix follow-up) | High |
| GHSA-36qx-fr4f-26g5 | Pages Router default-locale proxy authorization bypass | High |
| GHSA-492v-c6pp-mqqv | Bypass via dynamic route parameter injection | High |
| GHSA-3g8h-86w9-wvmq | Middleware redirects can be cache-poisoned | Low |
Denial of service (3)
| GHSA | Title | Severity |
|---|---|---|
| GHSA-rv78-f8rc-xrxh | DoS in React Server Components (CVE-2026-23870) | High — details |
| GHSA-mg66-mrh9-m8jx | DoS via connection exhaustion in Cache Components | High |
| GHSA-h64f-5h5j-jqjh | DoS via Image Optimization API | Moderate |
Server-side request forgery (1)
| GHSA | Title | Severity |
|---|---|---|
| GHSA-c4j6-fc7j-m34r | SSRF in WebSocket-upgrade applications | High |
Cache poisoning (2)
| GHSA | Title | Severity |
|---|---|---|
| GHSA-wfc6-r584-vfw7 | Cache poisoning in RSC responses | Moderate |
| GHSA-vfv6-92ff-j949 | Cache poisoning via RSC cache-busting collisions | Low |
Cross-site scripting (2)
| GHSA | Title | Severity |
|---|---|---|
| GHSA-ffhc-5mcf-pf4q | XSS in App Router with CSP nonces | Moderate |
| GHSA-gx5p-jg67-6x7h | XSS in beforeInteractive scripts with untrusted input | Moderate |
Shared affected range / patch
Affected ranges differ slightly per advisory, but upgrading to the latest patch on either supported line resolves all 13.
# 15.x line
npm install [email protected]
# 16.x line
npm install [email protected]
# Or latest stable
npm install next@latestNext.js 13.x / 14.x are affected only by a subset of these advisories. If you are still on those majors, check each GHSA page in the GitHub Advisory Database to confirm whether your major is in scope. Both lines are reaching the end of mainstream support, so migrating to 15.5.16 / 16.2.5 is recommended where possible.
Prioritization guide
You do not need to treat all 13 with the same urgency. Recommended order:
- Patch immediately: The 5 middleware/proxy bypass advisories + 3 DoS advisories — auth bypass and availability impact are the highest-blast-radius incidents.
- If using App Router with public exposure: The 1 SSRF advisory + 2 cache-poisoning advisories — especially relevant when a CDN/cache layer sits in front.
- If you rely on CSP or untrusted input handling: The 2 XSS advisories.
All three tiers are resolved by the same patch (15.5.16 / 16.2.5), so the actual change is a single upgrade plus a regression pass.
Summary
This page collects the May 6, 2026 coordinated advisories into a single, browsable view. Use the diagnosis to verify whether your installed Next.js version falls in the affected range, upgrade to the patched line, run your regression suite, and you address all 13 in one cycle.
References
Update your config files with ConfigDeck
Generate the related config files quickly with ConfigDeck.
Open the config generator →Review your AI coding tool configs
Cursor, GitHub Copilot, Claude Code and more.
Browse AI Config →