Next.js Patches Two Authorization Bypass Flaws in App Router

Executive Summary

Vercel has released security updates for Next.js, the widely used React framework, to close two authorization bypass vulnerabilities in the App Router. The flaws — tracked as CVE-2026-44574 (CVSS 8.1, High) and CVE-2026-44575 (CVSS 7.5, High) — allow unauthenticated attackers to access protected routes by exploiting how the framework handles prefetch requests and dynamic route parameters. Applications that rely on middleware or proxy-based access controls for route protection are affected. Patched versions are 15.5.16 and 16.2.5.

Technical Analysis

Both vulnerabilities reside in the App Router middleware layer, which developers commonly use to enforce authentication and authorization checks before page content is served. The advisory, published via GitHub Security Advisories, details two distinct bypass mechanisms.

CVE-2026-44574 (CVSS 8.1) affects Next.js versions 15.4.0 through 15.5.15 and 16.0.0 through 16.2.4. The flaw stems from how the framework processes query parameters in dynamic routes. In affected configurations, specially crafted query parameters can alter the dynamic route segment value seen by the page component while leaving the visible URL path unchanged in the browser. This discrepancy allows an attacker to pass middleware authorization checks intended for one route while the page renders content from a different, potentially protected, route. The advisory notes that applications using middleware to guard dynamic routes — for example, /dashboard/[user] — are vulnerable if the middleware inspects only the pathname without validating query parameters.

CVE-2026-44575 (CVSS 7.5) affects versions 15.2.0 through 15.5.15 and 16.0.0 through 16.2.4. This vulnerability exploits transport-specific route variants used for segment prefetching. Next.js App Router uses .rsc (React Server Component) URLs and segment-prefetch URLs to preload page data for faster navigation. In affected configurations, these specially crafted URLs can resolve to the same route as a standard request but bypass middleware authorization checks entirely. The advisory explains that middleware or proxy-based authorization logic that examines the request path may not account for these prefetch-specific URL variants, allowing unauthorized access to protected content.

Both vulnerabilities require that the application uses the App Router (not the older Pages Router) and relies on middleware or a reverse proxy for authorization decisions. Applications that enforce authorization at the application layer — within page components or server actions — are not affected by these specific bypasses.

Mitigations & Recommendations

Organizations running Next.js with App Router should upgrade to version 15.5.16 (for the 15.x branch) or 16.2.5 (for the 16.x branch) immediately. The patches are available via the standard npm update workflow:

npm install [email protected]
# or
npm install [email protected]

For teams unable to patch immediately, Vercel recommends reviewing middleware authorization logic to ensure it validates both the request pathname and any query parameters that could influence route resolution. Additionally, developers should audit any proxy-level access controls to confirm they account for .rsc and segment-prefetch URL patterns. As a defense-in-depth measure, authorization checks should be repeated at the page component or server action level rather than relying solely on middleware.