Scanner gratuitement
Analyse en attenteCVE-2026-44574

CVE-2026-44574: Authorization Bypass in Next.js

Plateforme

nodejs

Composant

nextjs

Corrigé dans

15.5.16

Voir sur NVD
Sauvegarder

CVE-2026-44574 describes an authorization bypass vulnerability within Next.js, a popular React framework. This flaw allows attackers to circumvent middleware protections on dynamic routes by manipulating query parameters, potentially granting unauthorized access to sensitive data. The vulnerability impacts versions 15.4.0 through 16.2.4, and a fix is available in versions 15.5.16 and 16.2.5.

Impact et Scénarios d'Attaquetraduction en cours…

The primary impact of CVE-2026-44574 is unauthorized access to protected resources within a Next.js application. Attackers can craft malicious query parameters that alter the dynamic route value seen by the application's pages, effectively bypassing middleware checks designed to enforce access control. This could lead to exposure of sensitive user data, administrative functions, or other restricted areas. The blast radius depends on the sensitivity of the protected routes and the potential for lateral movement within the application. A successful exploit could be particularly damaging if the application handles personally identifiable information (PII) or financial data.

Contexte d'Exploitationtraduction en cours…

CVE-2026-44574 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 8.1. There are currently no public proof-of-concept (POC) exploits available, and no reports of active exploitation campaigns. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score, suggesting a low to medium probability of exploitation in the near term.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée
Rapports3 rapports de menace

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N8.1HIGHAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredLowNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityNoneRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Faible — tout compte utilisateur valide est suffisant.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Aucun — aucun impact sur la disponibilité.

Logiciel Affecté

Composantnextjs
Fournisseurvercel
Version minimale15.4.0
Version maximale>= 16.0.0, < 16.2.5
Corrigé dans15.5.16

Classification de Faiblesse (CWE)

CWE-288

Chronologie

  1. Réservé
  2. Publiée

Mitigation et Contournementstraduction en cours…

The recommended mitigation for CVE-2026-44574 is to immediately upgrade Next.js to version 15.5.16 or 16.2.5. If upgrading is not immediately feasible, consider implementing stricter input validation and sanitization within your middleware functions to prevent query parameter manipulation. Review all dynamic routes protected by middleware and ensure that the logic correctly validates the route value. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious query parameter patterns can provide an additional layer of defense. After upgrading, confirm the fix by attempting to access protected routes with crafted query parameters to verify that the middleware checks are functioning as expected.

Comment corrigertraduction en cours…

Actualice Next.js a la versión 15.5.16 o superior, o a la versión 16.2.5 o superior. Esta actualización corrige una vulnerabilidad de bypass de autorización en middleware que permite el acceso a contenido protegido sin la validación esperada.

Questions fréquentestraduction en cours…

What is CVE-2026-44574 — Authorization Bypass in Next.js?

CVE-2026-44574 is a HIGH severity vulnerability in Next.js affecting versions 15.4.0–>= 16.0.0, < 16.2.5. It allows attackers to bypass middleware checks by manipulating query parameters, potentially accessing protected content.

Am I affected by CVE-2026-44574 in Next.js?

If you are using Next.js versions 15.4.0 through 16.2.4 and rely on middleware to protect dynamic routes, you are potentially affected by this vulnerability.

How do I fix CVE-2026-44574 in Next.js?

Upgrade Next.js to version 15.5.16 or 16.2.5. As a temporary workaround, implement stricter input validation in your middleware functions.

Is CVE-2026-44574 being actively exploited?

Currently, there are no public proof-of-concept exploits or reports of active exploitation campaigns related to CVE-2026-44574.

Where can I find the official Next.js advisory for CVE-2026-44574?

Refer to the official Next.js security advisory for CVE-2026-44574 on the Next.js GitHub repository or website (check for updates as the advisory may be published later).

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE
en directfree scan

Essayez maintenant — sans compte

scanZone.subtitle

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...