分析待定CVE-2026-44574

CVE-2026-44574: Authorization Bypass in Next.js

Q: What is CVE-2026-44574 — Authorization Bypass in Next.js?

CVE-2026-44574 is a HIGH severity vulnerability in Next.js affecting versions 15.4.0–>= 16.0.0, < 16.2.5. It allows attackers to bypass middleware checks by manipulating query parameters, potentially accessing protected content.

Q: Am I affected by CVE-2026-44574 in Next.js?

If you are using Next.js versions 15.4.0 through 16.2.4 and rely on middleware to protect dynamic routes, you are potentially affected by this vulnerability.

Q: How do I fix CVE-2026-44574 in Next.js?

Upgrade Next.js to version 15.5.16 or 16.2.5. As a temporary workaround, implement stricter input validation in your middleware functions.

Q: Is CVE-2026-44574 being actively exploited?

Currently, there are no public proof-of-concept exploits or reports of active exploitation campaigns related to CVE-2026-44574.

Q: Where can I find the official Next.js advisory for CVE-2026-44574?

Refer to the official Next.js security advisory for CVE-2026-44574 on the Next.js GitHub repository or website (check for updates as the advisory may be published later).

平台

nodejs

组件

nextjs

修复版本

15.5.16

在NVD查看

保存

CVE-2026-44574 describes an authorization bypass vulnerability within Next.js, a popular React framework. This flaw allows attackers to circumvent middleware protections on dynamic routes by manipulating query parameters, potentially granting unauthorized access to sensitive data. The vulnerability impacts versions 15.4.0 through 16.2.4, and a fix is available in versions 15.5.16 and 16.2.5.

影响与攻击场景翻译中…

The primary impact of CVE-2026-44574 is unauthorized access to protected resources within a Next.js application. Attackers can craft malicious query parameters that alter the dynamic route value seen by the application's pages, effectively bypassing middleware checks designed to enforce access control. This could lead to exposure of sensitive user data, administrative functions, or other restricted areas. The blast radius depends on the sensitivity of the protected routes and the potential for lateral movement within the application. A successful exploit could be particularly damaging if the application handles personally identifiable information (PII) or financial data.

利用背景翻译中…

CVE-2026-44574 was published on May 13, 2026. Its severity is rated HIGH with a CVSS score of 8.1. There are currently no public proof-of-concept (POC) exploits available, and no reports of active exploitation campaigns. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score, suggesting a low to medium probability of exploitation in the near term.

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告3 份威胁报告

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 低 — 任何有效用户账户均可。
User Interaction: 无 — 攻击自动且无声，受害者无需任何操作。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 高 — 完全丧失机密性，攻击者可读取所有数据。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 无 — 无可用性影响。

受影响的软件

组件nextjs

供应商vercel

最低版本15.4.0

最高版本>= 16.0.0, < 16.2.5

修复版本15.5.16

弱点分类 (CWE)

CWE-288

时间线

已保留2026-05-06
发布日期2026-05-13

缓解措施和替代方案翻译中…

The recommended mitigation for CVE-2026-44574 is to immediately upgrade Next.js to version 15.5.16 or 16.2.5. If upgrading is not immediately feasible, consider implementing stricter input validation and sanitization within your middleware functions to prevent query parameter manipulation. Review all dynamic routes protected by middleware and ensure that the logic correctly validates the route value. While not a direct fix, implementing a Web Application Firewall (WAF) with rules to detect and block suspicious query parameter patterns can provide an additional layer of defense. After upgrading, confirm the fix by attempting to access protected routes with crafted query parameters to verify that the middleware checks are functioning as expected.

修复方法翻译中…

Actualice Next.js a la versión 15.5.16 o superior, o a la versión 16.2.5 o superior. Esta actualización corrige una vulnerabilidad de bypass de autorización en middleware que permite el acceso a contenido protegido sin la validación esperada.

常见问题翻译中…

What is CVE-2026-44574 — Authorization Bypass in Next.js?

CVE-2026-44574 is a HIGH severity vulnerability in Next.js affecting versions 15.4.0–>= 16.0.0, < 16.2.5. It allows attackers to bypass middleware checks by manipulating query parameters, potentially accessing protected content.

Am I affected by CVE-2026-44574 in Next.js?

If you are using Next.js versions 15.4.0 through 16.2.4 and rely on middleware to protect dynamic routes, you are potentially affected by this vulnerability.

How do I fix CVE-2026-44574 in Next.js?

Upgrade Next.js to version 15.5.16 or 16.2.5. As a temporary workaround, implement stricter input validation in your middleware functions.

Is CVE-2026-44574 being actively exploited?

Currently, there are no public proof-of-concept exploits or reports of active exploitation campaigns related to CVE-2026-44574.

Where can I find the official Next.js advisory for CVE-2026-44574?

Refer to the official Next.js security advisory for CVE-2026-44574 on the Next.js GitHub repository or website (check for updates as the advisory may be published later).

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE

live免费扫描

立即试用 — 无需账户

上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始：拥有账户后，您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...

浏览文件