Introduction
A coordinated security release from Vercel on May 6, 2026 patched thirteen advisories across Next.js and React Server Components, and among the most impactful was CVE-2026-44574: a middleware authorization bypass that lets attackers smuggle internal routing parameters into ordinary HTTP requests to render protected dynamic route content without passing any middleware checks. For any Next.js application that gates access to dynamic routes (think /dashboard/[userId] or /admin/[slug]) exclusively through middleware, this vulnerability quietly renders those guards ineffective.
Technical Information
Root Cause: Trust Boundary Mismatch Between Middleware and the App Router
Next.js internally uses reserved query parameters to track matched dynamic segments during routing. Parameters prefixed with nxtP represent path segment values (e.g., nxtPslug for a [slug] dynamic segment), and parameters prefixed with nxtI represent intercept route markers. These are intended to be set only by the framework's own internal routing engine and prefetch mechanisms.
In vulnerable versions, the App Router unconditionally trusts these parameters when they appear in incoming HTTP requests and uses them to construct the params object passed to the page handler. Middleware, on the other hand, only inspects request.nextUrl.pathname to make authorization decisions. This creates a fundamental desynchronization:
- Middleware evaluates the visible URL path and determines whether the request should be allowed or blocked.
- The App Router resolves the page using injected
nxtP*parameters, which can point to a completely different dynamic route value than what the pathname suggests.
Because these two components disagree on what the request actually targets, an attacker can craft a request where the pathname points to a public, unprotected route while the injected parameters direct the page handler to render protected content.
Attack Flow
The attack proceeds in two distinct arms, both exploiting the same underlying desynchronization.
Arm A: nxtP* Parameter Smuggling
The attacker sends a request to a known public path (e.g., /safe) while injecting the internal nxtPslug query parameter to target a protected dynamic route:
curl -k -s -i \ -H 'x-matched-path: /admin/[slug]' \ -H 'x-now-route-matches: 1=secret-page' \ "${TARGET}/safe?nxtPslug=secret-page&__nextDefaultLocale=&__nextLocale="
Middleware sees pathname = /safe, which is a public route, so no authorization check fires. The App Router, however, resolves the request using the injected nxtPslug parameter and invokes the handler for /admin/[slug] with params = { slug: "secret-page" }. The protected page renders without any authorization having occurred.
Arm B: Double Encoded Slash Mismatch
The attacker sends a request with a double encoded slash in the dynamic segment:
curl -k -s -i --path-as-is "${TARGET}/admin/foo%252Fsecret-page"
The pre patch client parameter parser runs encodeURIComponent on already encoded pathname parts, so /admin/foo%252Fbar round trips differently between the client and server. Middleware sees one segment value while the page handler decodes it to foo/secret-page, steering each side into a different code branch and again bypassing the authorization check.
In both arms, the exploit verifies success by checking for an HTTP 200 response containing a sentinel string (ADMIN_SECRET_FLAG) in the response body, confirming the protected page was rendered.
CWE Classification
This vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), which accurately describes the core issue: the attacker reaches a protected resource through a routing path that the authentication mechanism does not cover.
Proof of Concept
A public, runnable proof of concept collection is available in the dwisiswant0/next-16.2.4-pocs GitHub repository (127 stars, 25 forks as of mid May 2026). The CVE-2026-44574 specific materials reside under poc/CVE-2026-44574_GHSA-492v-c6pp-mqqv/ and include:
exploit.sh: A bash script demonstrating both thenxtP*parameter smuggling (Arm A) and double encoded slash mismatch (Arm B) attacksexploit.py: A Python implementation of the same exploit logicCVE-2026-44574.yaml: A Nuclei template for automated scanning- A vulnerable sample application for local reproduction
The Nuclei template can be run directly against a target:
nuclei -u <target_url> -t poc/CVE-2026-44574_GHSA-492v-c6pp-mqqv/CVE-2026-44574.yaml
The exploit scripts target the nxtPslug parameter injection and the double encoding mismatch, checking for the ADMIN_SECRET_FLAG sentinel in the response to confirm successful bypass. The immediate public availability of these tools means the window between disclosure and potential exploitation is effectively zero.
Patch Information
Vercel addressed CVE-2026-44574 as part of the coordinated May 6, 2026 security release. The advisory, tracked as GHSA-492v-c6pp-mqqv, was published by Next.js maintainer timneutkens.
Patched versions:
| Version Line | Affected Range | Initial Patch | Recommended Upgrade Target |
|---|---|---|---|
| Next.js 15 | 15.4.0 to prior to 15.5.16 | 15.5.16 (2026-05-06) | 15.5.18 |
| Next.js 16 | 16.0.0 to prior to 16.2.5 | 16.2.5 (2026-05-06) | 16.2.6 |
The fix tightens the trust boundary around route parameter resolution. Next.js now only honors internal route parameter normalization in trusted routing flows, meaning the internal routing engine and prefetch mechanisms are the sole sources allowed to supply encoded route parameters. Any externally supplied parameter encodings that arrive in plain HTTP requests are ignored and discarded before they can influence dynamic segment resolution. The upstream commit f1c11203d5 normalizes encoded pathname parts on the client so they round trip identically with the server's encodeURIComponent(decoded) form, closing the desynchronization gap.
Because this was a security sensitive change, the commits were prepared in a private fork and merged directly into the release tags without individual public pull request numbers. The fix shipped alongside 11 other advisories in the same coordinated batch.
Interim workaround: For teams that cannot upgrade immediately, the advisory recommends moving authorization checks into route level or page level logic rather than depending exclusively on middleware path matching as a security gate.
Important WAF note: Both Vercel and Cloudflare have confirmed that WAF rules cannot reliably block this attack vector. Vercel states that patching is the only complete mitigation, and Cloudflare notes it is not possible to safely enable a generic managed rule for this class of vulnerability. Framework upgrades are required.
Affected Systems and Versions
The following Next.js versions are vulnerable:
- Next.js 15.x: versions 15.4.0 through 15.5.15 (inclusive)
- Next.js 16.x: versions 16.0.0 through 16.2.4 (inclusive)
The vulnerability specifically affects applications that:
- Use the App Router (not the legacy Pages Router for this specific attack path)
- Rely on middleware to enforce authorization on dynamic routes (e.g.,
/admin/[slug],/dashboard/[userId]) - Do not implement redundant authorization checks at the page or route handler level
Applications deployed on any hosting platform are affected, including Vercel, Cloudflare Pages, Netlify, and self hosted environments. Netlify has noted that users on Pages Router with i18n should also upgrade the Netlify plugin.
Vendor Security History
The May 2026 coordinated release patched thirteen advisories simultaneously across Next.js and React Server Components: six rated High severity, four Moderate, and two Low. This volume of routing and middleware bypass issues in a single batch reflects the inherent complexity of securing the boundary between middleware, routing, and rendering in modern server side rendering frameworks. Next.js has had prior middleware bypass vulnerabilities, and this pattern of desynchronization between middleware path evaluation and backend route resolution represents a recurring attack surface in the framework's architecture.
References
- GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
- CVE Record: CVE-2026-44574
- GitHub Advisory: GHSA-492v-c6pp-mqqv
- Next.js May 2026 Security Release (Vercel Changelog)
- Next.js v16.2.5 Release
- Next.js v15.5.16 Release
- dwisiswant0/next-16.2.4-pocs: PoC Collection
- PoC README for CVE-2026-44574
- PoC exploit.sh for CVE-2026-44574
- Cloudflare: WAF and Framework Adapter Mitigations for React and Next.js
- Netlify: Security Update for Next.js and React Vulnerabilities
- TheCybrDef: 12 Next.js Flaws Exposed
- Eventus Security: Next.js Vulnerabilities Impact Identity Verification and Request Routing



