Fluid Attacks Database

Description

A flaw was found in Next.js. App Router applications that use middleware or proxy-based authorization checks are vulnerable to unauthorized access. A remote attacker can exploit this by crafting specific .rsc and segment-prefetch URLs, which bypass the intended middleware rules. This allows access to protected content without proper authorization.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=15.2.0 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel10	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel8	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel8	thunderbird	-	-
rpm rhel9	thunderbird	-	-

Aliases

1. CVE-2026-445752. NVD-2026-445753. OSV-2026-445754. GHSA-267c-6grr-h53f5. GCVE-2026-44575

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5