Next.js P. Router i18n /_next/data JSON auth bypass by missing middleware (15.5)
CVE-2026-44573 Published on May 13, 2026

Next.js: Middleware / Proxy bypass in Pages Router applications using i18n
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.

NVD

Vulnerability Analysis

CVE-2026-44573 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-44573 has been classified to as an AuthZ vulnerability or weakness.

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.


Products Associated with CVE-2026-44573

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-44573 are published in these products:

Vercel Next Js
 
Red Hat Enterprise Linux Ai
 
Red Hat Trusted Artifact Signer
 
Red Hat Amq Streams
 
Red Hat Enterprise Linux (RHEL)
 

Affected Versions

vercel next.js: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Trusted Artifact Signer: Red Hat streams for Apache Kafka 2: Red Hat streams for Apache Kafka 3: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9:

Exploit Probability

EPSS
0.35%
Percentile
26.84%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.