By ByteBot
Vercel dropped 13 security advisories for Next.js last week — the framework’s largest single patch batch ever. Three CVEs let attackers silently bypass authentication middleware. One lets unauthenticated attackers steal cloud credentials from self-hosted deployments. Another can collapse any App Router endpoint under minimal traffic. Proof-of-concept code for 12 of the 13 flaws is already public on GitHub. If your Next.js app hasn’t been updated to version 15.5.16 or 16.2.5, it’s currently exposed.
Middleware Was Never a Security Boundary
The most consequential finding from this release isn’t a single CVE — it’s what three of them collectively prove. CVE-2026-44575 lets attackers reach protected App Router content by crafting .rsc and segment-prefetch URLs that match the right page but never trigger middleware rules. CVE-2026-44574 uses injected query parameters to alter dynamic route values, hiding the actual request path from middleware while the protected data still renders on the backend. CVE-2026-44573 hits Pages Router apps with i18n enabled: locale-less data requests bypass middleware entirely, returning full SSR JSON payloads without any authorization checks.
The irony is that Vercel’s own documentation already said this. For years, the Next.js auth guide has warned that middleware “is not a security boundary — it runs at the edge and is designed for routing and response shaping, not as a last line of defense.” Most developers read that as a caveat rather than a mandate. This release makes it a mandate.
This isn’t the first time the middleware boundary has collapsed. CVE-2025-29927, disclosed in March 2025, was a CVSS 9.1 flaw where sending a single x-middleware-subrequest header skipped all middleware logic across versions 11.1.4 through 15.2.2. The same class of problem, again. The lesson apparently needed repeating at scale.
The SSRF Nobody Was Talking About
While the middleware bypasses attracted most attention, CVE-2026-44578 may be the most damaging for teams running Next.js outside Vercel’s managed platform. By manipulating WebSocket upgrade requests, an unauthenticated attacker can force a self-hosted Node.js server to proxy traffic to arbitrary internal destinations — including cloud metadata services.
On AWS deployments using IMDSv1, that means a single crafted request can reach 169.254.169.254 and return IAM credentials. No authentication, no session, no prior access required. The same path reaches internal Redis instances, databases, and any internal API not exposed publicly. GCP metadata services are equally reachable. Vercel-managed deployments are confirmed not affected — but a significant share of Next.js production apps run on self-managed infrastructure: ECS, EC2, bare-metal, or Kubernetes. Those apps need this patch now.
React Flight Protocol Under Fire, Again
CVE-2026-23870 is not a Next.js bug — it’s an upstream React vulnerability in how the Flight protocol deserializes request payloads sent to Server Function endpoints. When a specially crafted payload containing cyclic or recursively referenced data structures hits a Server Function, the server enters a high-CPU state that persists until it errors out.
This is a low-bandwidth, application-layer denial of service. A handful of requests can exhaust server resources — no authentication required, no volumetric traffic needed. Every Next.js App Router deployment on versions 13.x through 16.x is affected. It’s also worth noting that this is the third wave of React Server Component CVEs in 2026. CVE-2025-55182 in December 2025 allowed remote code execution through the same RSC protocol. The pattern is consistent: the Flight protocol’s complexity is a recurring attack surface.
What To Do Right Now
The upgrade path is specific. Standard users should target Next.js 15.5.16 or 16.2.5 and React 19.0.6, 19.1.7, or 19.2.6. Teams using Turbopack need to go one step further: 15.5.18 or 16.2.6, as earlier patch versions left a gap in Turbopack-specific code paths. The full Vercel security release is documented here.
Cloudflare and Netlify both shipped WAF rules and framework adapter mitigations on May 6 — before most teams had patched — which buys some time but isn’t a substitute for upgrading. If you’re behind a WAF and haven’t upgraded, you’re relying on someone else’s interpretation of your attack surface.
The architectural fix matters as much as the version bump. Authentication must be enforced inside every Route Handler and Server Action. Middleware can handle redirects and edge routing. It cannot be your auth layer.
The Real Conversation
Thirteen advisories at once is unusual. The developer community noticed — “I’m Done With NextJS” sentiment spiked noticeably following the release. That’s an overreaction, but it points at something real.
React Server Components were a major architectural bet: move data fetching closer to the source, reduce client bundle size, improve performance. That bet introduced the Flight protocol, server-side deserialization, and a routing model complex enough that middleware can’t reliably see all paths. The security cost of that complexity is now showing up in the CVE list. The question isn’t whether to keep using Next.js — for most teams, the ecosystem lock-in is real and the alternatives have their own problems. The question is whether the security model has kept pace with the feature set. Right now, the answer is no.
