CVE-2026-44575

Name of the Vulnerable Software and Affected Versions Next.js versions 15.2.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4

Description App Router applications using middleware or proxy-based authorization checks may allow unauthorized access via transport-specific route variants used for segment prefetching. Specially crafted .rsc and segment-prefetch URLs can resolve to the same page without triggering the intended middleware rule, enabling access to protected content without authorization checks.

Recommendations Update to version 15.5.16. Update to version 16.2.5. Enforce authorization in the underlying route or page logic instead of relying solely on middleware.