CVE-2026-44576

Name of the Vulnerable Software and Affected Versions Next.js versions 14.2.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4

Description Applications using React Server Components (RSC) are susceptible to cache poisoning when shared caches fail to correctly partition response variants. An attacker can manipulate the system to serve an RSC response from the original URL, poisoning shared cache entries. Consequently, subsequent visitors receive component payloads instead of the expected HTML. This occurs due to inconsistent validation and interpretation of RSC request headers during request classification and rendering.

Recommendations Update to version 15.5.16. Update to version 16.2.5. Ensure the CDN or reverse proxy keys on relevant RSC request headers and honors Vary. Disable shared caching for affected App Router and RSC responses.