CVE-2026-44582: Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

May 11, 2026 (updated May 14, 2026)

React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.

References

github.com/advisories/GHSA-vfv6-92ff-j949
github.com/vercel/next.js/releases/tag/v15.5.16
github.com/vercel/next.js/releases/tag/v16.2.5
github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949
nvd.nist.gov/vuln/detail/CVE-2026-44582

Code Behaviors & Features

Detect and mitigate CVE-2026-44582 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →