Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

GHSA-36qx-fr4f-26g5 · CVE-2026-44573

Published May 11, 2026 · Modified May 14, 2026

Description

Impact

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

Fix

The matcher logic was updated to perform the same match as it would on a non-i18n data route.

Workarounds

If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44573
PACKAGE https://github.com/vercel/next.js
WEB https://github.com/vercel/next.js/releases/tag/v15.5.16
WEB https://github.com/vercel/next.js/releases/tag/v16.2.5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes