A high-severity vulnerability in Next.js allows attackers to bypass middleware-based authorization controls in App Router applications through specially crafted .rsc and segment-prefetch requests. Tracked as CVE-2026-44575, the vulnerability can expose protected pages and sensitive application content without triggering the intended authentication or access control checks.
Next.js is one of the most widely used frameworks for building full-stack React applications, APIs, and server-rendered platforms. Many organizations rely on middleware for enforcing authentication, tenant isolation, session validation, and route protection across modern App Router deployments. That widespread dependency is what makes this vulnerability especially important.
By abusing internal App Router transport behavior, attackers can access protected resources through alternate request paths that bypass middleware enforcement entirely. In applications where authorization depends solely on middleware, the vulnerability can expose restricted dashboards, user-specific content, internal APIs, and other sensitive application functionality.
What Is CVE-2026-44575
Risk Analysis
Severity: High
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v3.x Score: 7.5
Exploit Availability: Not Confirmed
Exploit Complexity: Low
CVE-2026-44575 is classified as an authentication bypass through an alternate path (CWE-288). The vulnerability was caused by incomplete middleware matcher generation inside the Next.js App Router framework.
When App Router applications prefetch route segments, Next.js generates transport-specific requests in addition to the standard page URL. For example, a request to /dashboard may also be processed as /dashboard.rsc for React Server Component delivery or through segment-prefetch request patterns.
The problem was that the middleware matching logic inside middleware.ts did not consistently apply authorization checks to these transport-specific variants. As a result, specially crafted .rsc or segment-prefetch requests could reach the same protected route while bypassing the intended middleware enforcement entirely.
CVE-2026-44575 Affected Versions
CVE-2026-44575 affects applications using the Next.js App Router where authorization is enforced primarily through middleware.ts or proxy-based middleware rules. The vulnerability is particularly relevant for self-hosted deployments and environments running on platforms such as Railway, Netlify, or other non-Vercel infrastructure.
The following versions are affected:
- 15.x Branch: 15.2.0 through 15.5.15
- 16.x Branch: 16.0.0 through 16.2.4
The vulnerability was initially fixed in:
- 15.x Branch: 15.5.16+
- 16.x Branch: 16.2.5+
However, researchers later identified that the original fix did not fully apply to certain Turbopack environments. Additional fixes were released in:
- 15.5.18
- 16.2.6
There are also important scope limitations to understand. Vercel-managed deployments are not affected by this specific vulnerability. Applications using the older Pages Router are also outside the vulnerable code path, as are client-only React applications and Edge Runtime deployments.
Applications that enforce authorization directly inside route handlers, APIs, or backend business logic instead of relying solely on middleware are significantly less exposed. However, upgrading to a patched version is still strongly recommended.
How CVE-2026-44575 Could Be Exploited
Exploitation of CVE-2026-44575 does not require authentication, specialized tooling, or deep knowledge of the target application. An attacker only needs to identify routes protected through middleware-based authorization.
1. Route Enumeration
The attacker first identifies protected routes within the application. In many Next.js deployments, routes such as /dashboard, /admin, /account, or tenant-specific panels are predictable.
A normal request to these routes typically triggers middleware enforcement and redirects the user to a login page or returns an authorization error, confirming that the route exists and is protected.
GET /dashboard HTTP/1.1
Host: app.example.com
→ Middleware intercepts request
→ Redirect to /login (401/302)
2. Crafting the Bypass Request
Instead of requesting the standard page route directly, the attacker targets a transport-specific App Router variant such as:
- /dashboard.rsc
- GET /dashboard.segments/$c$children/__PAGE__.segment.rsc HTTP/1.1
- Segment-prefetch request variants
These alternate request paths resolve to the same underlying page but are processed differently inside the App Router transport layer.
Because the middleware matcher does not properly account for these variants in vulnerable versions, the request bypasses the intended authorization checks.
3. Middleware Enforcement Is Skipped
The Next.js server processes the .rsc or segment-prefetch request and renders the associated route normally. However, the middleware function is never invoked because the request does not match the generated middleware rules.
GET /dashboard.rsc HTTP/1.1Host: app.example.com
→ Middleware not triggered
→ Protected content returned
4. Protected Content Is Exposed
Once the bypass succeeds, the attacker receives the React Server Component payload associated with the protected route. Depending on how the application is designed, this can expose sensitive user information, administrative interfaces, tenant-specific data, internal application state, or protected dashboard content that would normally require authentication and authorization checks.
Any unpatched self-hosted Next.js App Router deployment relying solely on middleware for authorization should be treated as exposed.
CVE-2026-44575 Remediation and Mitigation
The primary remediation for CVE-2026-44575 is upgrading to a patched version of Next.js. Organizations running the 15.x branch should upgrade to 15.5.16 or later, while deployments using Turbopack should upgrade to 15.5.18 or newer. For the 16.x branch, the recommended versions are 16.2.5 or later, or 16.2.6+ for Turbopack environments.
Applications running Next.js 13.x or 14.x will not receive fixes for this vulnerability. Organizations using these versions should plan an upgrade to a supported release branch.
If immediate patching is not possible, authorization checks should be moved out of middleware.ts and enforced directly inside route handlers, APIs, or page-level business logic. Middleware in Next.js is primarily designed for routing and request handling behavior, not as a standalone security enforcement boundary. Validating access permissions inside the application logic itself reduces the risk of alternate route bypasses.
For Netlify deployments, the upstream fix may not fully apply in environments using Pages Router with i18n configurations. The complete remediation is included in OpenNext Netlify adapter version 5.15.11. Environments using automatically installed adapters require a redeployment, while manually managed deployments must upgrade @netlify/plugin-nextjs before redeploying.
Organizations should also review access logs for suspicious requests targeting protected routes with .rsc extensions or segment-prefetch-specific headers. Successful 200 responses to these requests from unauthenticated sessions may indicate attempted or successful exploitation.
AppTrana Coverage for CVE-2026-44575
AppTrana provides complete protection against exploitation attempts targeting CVE-2026-44575 through its virtual patching capabilities. Requests abusing .rsc transport variants, segment-prefetch patterns, or alternate route access behavior can be detected and blocked before reaching vulnerable Next.js applications.
For organizations that cannot immediately upgrade to patched Next.js versions, AppTrana helps reduce exposure by monitoring and blocking middleware bypass attempts targeting protected routes.
The screenshots below show AppTrana blocking a bypass attempt targeting a .rsc route and custom security policies stop exploitation even on unpatched Next.js deployments.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.