{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/next.js/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["next (\u003e= 12.2.0, \u003c 15.5.16)","next (\u003e= 16.0.0, \u003c 16.2.5)"],"_cs_severities":["high"],"_cs_tags":["nextjs","authentication-bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Next.js"],"content_html":"\u003cp\u003eNext.js applications using the Pages Router with \u003ccode\u003ei18n\u003c/code\u003e enabled and relying on middleware or proxy-based authorization are susceptible to an authentication bypass vulnerability, tracked as CVE-2026-44573. This vulnerability affects Next.js versions 12.2.0 through 15.5.15 and 16.0.0 through 16.2.4.  The vulnerability stems from the fact that middleware does not execute for unprefixed \u003ccode\u003e/_next/data/\u0026lt;buildId\u0026gt;/\u0026lt;page\u0026gt;.json\u003c/code\u003e data routes when using \u003ccode\u003ei18n\u003c/code\u003e. An attacker can exploit this to directly retrieve server-side rendered (SSR) JSON data for protected pages, effectively bypassing the intended authorization checks implemented within the middleware. This allows access to sensitive content without proper authentication or authorization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Next.js application using the Pages Router with \u003ccode\u003ei18n\u003c/code\u003e configured.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a protected page that requires authentication or authorization based on middleware.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to \u003ccode\u003e/_next/data/\u0026lt;buildId\u0026gt;/\u0026lt;page\u0026gt;.json\u003c/code\u003e for the protected page, omitting any locale prefix. The \u003ccode\u003e\u0026lt;buildId\u0026gt;\u003c/code\u003e would be a valid build ID for the application, typically obtained from the HTML source of a page. The \u003ccode\u003e\u0026lt;page\u0026gt;\u003c/code\u003e is the path to the page.\u003c/li\u003e\n\u003cli\u003eThe Next.js server processes the request for the \u003ccode\u003e/_next/data\u003c/code\u003e route, but the middleware intended to protect the page is not triggered.\u003c/li\u003e\n\u003cli\u003eThe server fetches and returns the SSR JSON data for the protected page.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the SSR JSON data, gaining access to the content of the protected page without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the data, potentially finding sensitive information or API keys.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized access to sensitive data within Next.js applications. The impact depends on the nature of the data exposed on the protected pages. This could include personal user information, internal application data, or even API keys. This could lead to data breaches, account compromise, or further attacks against the application or its users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Next.js version 15.5.16 or 16.2.5 or later to patch CVE-2026-44573.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrade is not possible, enforce authorization checks within the \u003ccode\u003egetServerSideProps\u003c/code\u003e or \u003ccode\u003egetStaticProps\u003c/code\u003e functions of affected pages as a workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Next.js i18n Auth Bypass Attempt\u0026rdquo; to identify potential exploitation attempts targeting the \u003ccode\u003e/_next/data\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/_next/data\u003c/code\u003e endpoint without a locale prefix, as this is indicative of potential exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T15:56:51Z","date_published":"2026-05-11T15:56:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nextjs-auth-bypass/","summary":"Next.js applications using the Pages Router with `i18n` and middleware-based authorization are vulnerable to an authentication bypass (CVE-2026-44573), allowing unauthorized access to protected page data via locale-less `/_next/data/\u003cbuildId\u003e/\u003cpage\u003e.json` requests.","title":"Next.js i18n Pages Router Middleware Authentication Bypass (CVE-2026-44573)","url":"https://feed.craftedsignal.io/briefs/2026-05-nextjs-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Next.js","version":"https://jsonfeed.org/version/1.1"}