Next.js App Router Middleware Bypass (CVE-2026-44575)

Hosting Environment Impact

Every Next.js App Router environment that uses middleware as an authentication gate is affected.

• Vercel: Affected. Auto-update is recommended after the May 2026 patch release.
• Netlify / Cloudflare Pages: Affected. Hosting-level WAF rules help but are no substitute for the upstream patch.
• Self-hosted Node.js: Affected. Patch immediately if you operate middleware-protected routes.
• Pages Router: Tracked separately (GHSA-36qx-fr4f-26g5) and patched in the same May 2026 release.

Vulnerability Mechanism

Next.js App Router prefetches route segments before the user clicks a link, so the request that reaches the server is a segment-variant URL (e.g. /admin.rsc, __next/data style) rather than the regular page URL (/admin).

If the developer wrote middleware.js/proxy.js matchers based only on the page URL pattern, the variant URLs never match the matcher and the middleware is skipped. The flow looks like:

# Normal request: middleware runs, unauthenticated users are blocked
curl https://target.example.com/admin
→ 401 or redirect to login

# Segment-prefetch variant: bypasses the matcher
curl https://target.example.com/admin.rsc
→ Returns the RSC payload that should have been protected

CVSS 7.5 (High) reflects (1) protected route data is exposed without authentication, (2) the RSC payload contains the rendered server data verbatim, and (3) almost every App Router project that defines page-URL matchers is affected. Confidentiality only (C:H) — integrity/availability are unaffected, hence one notch below CVE-2025-29927.

Patch & Mitigation

1. Upgrade to a patched version (recommended)

# 15.x line
npm install [email protected]

# 16.x line
npm install [email protected]

# Or latest stable
npm install next@latest

Minimum safe versions per major:

• Next.js 15: 15.5.16
• Next.js 16: 16.2.5

Next.js 13.x and 14.x are not affected by this CVE (different segment-prefetch URL handling). However other May 2026 advisories may apply — check the aggregate advisory as well.

2. Temporary mitigation (before patching)

Explicitly add the segment-prefetch variant patterns to your middleware matcher:

// middleware.ts
export const config = {
  matcher: [
    '/admin/:path*',
    '/admin/:path*.rsc', // include the RSC prefetch variant
    '/api/:path*',
  ],
}

You can also enforce the same authentication rule at the WAF / reverse proxy layer for any request that includes a .rsc suffix or segment-prefetch headers. Cloudflare published adapter-level mitigations alongside the May 2026 release (Cloudflare changelog).

3. Verifying the patch

After upgrading, hitting the variant URL without auth should trigger middleware (401 or redirect):

curl -I https://target.example.com/admin.rsc
# → 401 or 302 (login redirect) means the patch is active

Summary

This vulnerability exploits a blind spot in middleware matchers when developers only target page URLs, allowing the protected RSC data to leak through segment-prefetch variants. Because the fix ships as part of the May 2026 coordinated release, upgrading once resolves several related advisories at the same time.