https://feed.craftedsignal.io/products/next--16.0.0--16.2.5/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 11 May 2026 15:56:51 +0000https://feed.craftedsignal.io/briefs/2026-05-nextjs-auth-bypass/Mon, 11 May 2026 15:56:51 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-nextjs-auth-bypass/Next.js applications using the Pages Router with `i18n` and middleware-based authorization are vulnerable to an authentication bypass (CVE-2026-44573), allowing unauthorized access to protected page data via locale-less `/_next/data/<buildId>/<page>.json` requests.Next.js applications using the Pages Router with i18n enabled and relying on middleware or proxy-based authorization are susceptible to an authentication bypass vulnerability, tracked as CVE-2026-44573. This vulnerability affects Next.js versions 12.2.0 through 15.5.15 and 16.0.0 through 16.2.4. The vulnerability stems from the fact that middleware does not execute for unprefixed /_next/data/<buildId>/<page>.json data routes when using i18n. An attacker can exploit this to directly retrieve server-side rendered (SSR) JSON data for protected pages, effectively bypassing the intended authorization checks implemented within the middleware. This allows access to sensitive content without proper authentication or authorization.

Attack Chain

1. The attacker identifies a Next.js application using the Pages Router with i18n configured.
2. The attacker identifies a protected page that requires authentication or authorization based on middleware.
3. The attacker crafts a request to /_next/data/<buildId>/<page>.json for the protected page, omitting any locale prefix. The <buildId> would be a valid build ID for the application, typically obtained from the HTML source of a page. The <page> is the path to the page.
4. The Next.js server processes the request for the /_next/data route, but the middleware intended to protect the page is not triggered.
5. The server fetches and returns the SSR JSON data for the protected page.
6. The attacker receives the SSR JSON data, gaining access to the content of the protected page without proper authorization.
7. The attacker analyzes the data, potentially finding sensitive information or API keys.

Impact

Successful exploitation of this vulnerability allows unauthorized access to sensitive data within Next.js applications. The impact depends on the nature of the data exposed on the protected pages. This could include personal user information, internal application data, or even API keys. This could lead to data breaches, account compromise, or further attacks against the application or its users.

Recommendation

• Upgrade to Next.js version 15.5.16 or 16.2.5 or later to patch CVE-2026-44573.
• If immediate upgrade is not possible, enforce authorization checks within the getServerSideProps or getStaticProps functions of affected pages as a workaround.
• Deploy the Sigma rule “Detect Next.js i18n Auth Bypass Attempt” to identify potential exploitation attempts targeting the /_next/data endpoint.
• Monitor web server logs for requests to the /_next/data endpoint without a locale prefix, as this is indicative of potential exploitation.

]]>highadvisorynextjsauthentication-bypassvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-nextjs-middleware-bypass/Mon, 11 May 2026 15:56:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-nextjs-middleware-bypass/A vulnerability in Next.js (CVE-2026-44574) allows for authorization bypass in applications that use middleware to protect dynamic routes, enabling attackers to render protected content without proper authorization by crafting specific query parameters.A high-severity vulnerability, CVE-2026-44574, affects Next.js applications that rely on middleware for authorization of dynamic routes. This flaw allows attackers to bypass middleware checks by manipulating query parameters to alter the perceived route, granting access to protected content without proper authentication or authorization. This issue impacts Next.js versions 15.4.0 through 15.5.15 and 16.0.0 through 16.2.4. Successful exploitation leads to unauthorized access to sensitive data and functionalities within the affected application. Defenders should prioritize patching or implementing workarounds to mitigate the risk of exploitation.

Attack Chain

1. The attacker identifies a Next.js application using middleware for route protection.
2. The attacker discovers a dynamic route protected by middleware (e.g., /dashboard/[id]).
3. The attacker crafts a malicious URL containing manipulated query parameters designed to alter the dynamic route value. For example, /dashboard/evil%2Fpath?param=value.
4. The manipulated URL is sent to the Next.js application.
5. The application’s routing logic incorrectly interprets the altered route value, bypassing the middleware check intended for the original route.
6. The application renders the protected content associated with the manipulated route.
7. The attacker gains unauthorized access to sensitive information or functionalities.

Impact

Successful exploitation of CVE-2026-44574 allows attackers to bypass authorization checks in Next.js applications that rely on middleware for route protection. This can lead to unauthorized access to sensitive data, such as user profiles, financial records, or confidential documents. The impact is highly dependent on the specific application and the data it handles. Organizations using vulnerable Next.js versions should consider the potential for data breaches and unauthorized access to critical functionalities.

Recommendation

• Upgrade Next.js to version 15.5.16 or later, or 16.2.5 or later, to remediate CVE-2026-44574.
• If immediate upgrading is not possible, enforce authorization checks within the route or page logic itself, instead of relying solely on middleware path matching as recommended in the advisory.
• Deploy the Sigma rule “Detect CVE-2026-44574 Exploitation Attempt — Next.js Middleware Bypass” to identify potential exploitation attempts in web server logs.
• Monitor web server logs for suspicious URL patterns containing encoded characters or unusual query parameters targeting dynamic routes.

]]>highadvisorynextjsmiddlewareauthorizationbypassCVE-2026-44574cloud