CVE-2026-44573

Name of the Vulnerable Software and Affected Versions Next.js versions 12.2.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4

Description Applications using the Pages Router with i18n configured and middleware or proxy-based authorization may allow unauthorized access to protected page data. This occurs through locale-less requests to the endpoint "/ next/data//.json". In these configurations, middleware does not execute for the unprefixed data route, enabling an attacker to retrieve Server-Side Rendering (SSR) JSON for protected pages by bypassing intended authorization checks.

Recommendations Update to version 15.5.16. Update to version 16.2.5. Enforce authorization in the page's server-side data path instead of relying solely on middleware.