CVE-2026-44574: Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

May 11, 2026 (updated May 14, 2026)

Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.

References

github.com/advisories/GHSA-492v-c6pp-mqqv
github.com/vercel/next.js/releases/tag/v15.5.16
github.com/vercel/next.js/releases/tag/v16.2.5
github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv
nvd.nist.gov/vuln/detail/CVE-2026-44574

Code Behaviors & Features

Detect and mitigate CVE-2026-44574 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →