Fluid Attacks Database

Description

A flaw was found in Next.js. A remote unauthenticated attacker could exploit a bypass in a security fix when using middleware.ts with Turbopack. This vulnerability could lead to the disclosure of sensitive information.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=15.2.0 <15.5.18 \|\| >=16.0.0 <16.2.6	15.5.18, 16.2.6
rpm rhel10	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel8	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel8	thunderbird	-	-
rpm rhel9	thunderbird	-	-

Aliases

1. CVE-2026-451092. NVD-2026-451093. OSV-2026-451094. GHSA-267c-6grr-h53f5. GHSA-26hh-7cqf-hhc66. GCVE-2026-45109

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f2. https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc63. https://github.com/vercel/next.js/releases/tag/v15.5.184. https://github.com/vercel/next.js/releases/tag/v16.2.6