CVE-2026-44582

Name of the Vulnerable Software and Affected Versions Next.js versions 13.4.6 through 15.5.15 Next.js versions 16.0.0 through 16.2.4

Description React Server Component responses are susceptible to cache poisoning in deployments utilizing shared caches with insufficient response partitioning. Collisions in the rsc cache-busting value allow an attacker to poison cache entries, causing users to receive incorrect response variants for a specific URL.

Recommendations Update to version 15.5.16. Update to version 16.2.5. Ensure intermediary caches correctly honor Vary for RSC-related request headers. Disable shared caching for affected RSC responses.