CVE-2026-44573: Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

May 11, 2026 (updated May 14, 2026)

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

References

github.com/advisories/GHSA-36qx-fr4f-26g5
github.com/vercel/next.js/releases/tag/v15.5.16
github.com/vercel/next.js/releases/tag/v16.2.5
github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5
nvd.nist.gov/vuln/detail/CVE-2026-44573

Code Behaviors & Features

Detect and mitigate CVE-2026-44573 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →