{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45109", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-08T19:27:26.699Z", "datePublished": "2026-05-13T17:11:07.275Z", "dateUpdated": "2026-06-30T12:10:22.500Z"}, "containers": {"cna": {"title": "Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes", "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6"}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"version": ">= 15.2.0, < 15.5.17", "status": "affected"}, {"version": ">= 16.0.0, < 16.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-13T17:11:07.275Z"}, "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6."}], "source": {"advisory": "GHSA-26hh-7cqf-hhc6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-13T18:39:20.946868Z", "id": "CVE-2026-45109", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T18:39:29.674Z"}}, {"affected": [{"cpes": ["cpe:/a:redhat:enterprise_linux_ai:3"], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:trusted_artifact_signer:1"], "defaultStatus": "affected", "product": "Red Hat Trusted Artifact Signer", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:amq_streams:2"], "defaultStatus": "affected", "product": "streams for Apache Kafka 2", "vendor": "Red Hat"}, {"cpes": ["cpe:/a:redhat:amq_streams:3"], "defaultStatus": "affected", "product": "streams for Apache Kafka 3", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 10", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 7", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 8", "vendor": "Red Hat"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 9", "vendor": "Red Hat"}], "datePublic": "2026-05-13T17:11:07.275Z", "descriptions": [{"lang": "en", "value": "A flaw was found in Next.js. A remote unauthenticated attacker could exploit a bypass in a security fix when using middleware.ts with Turbopack. This vulnerability could lead to the disclosure of sensitive information."}], "metrics": [{"other": {"content": {"namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-358", "description": "Improperly Implemented Security Check for Standard", "lang": "en", "type": "CWE"}]}], "references": [{"tags": ["vdb-entry", "x_refsource_REDHAT"], "url": "https://access.redhat.com/security/cve/CVE-2026-45109"}, {"name": "RHBZ#2477190", "tags": ["issue-tracking", "x_refsource_REDHAT"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477190"}, {"tags": ["x_sadp-csaf-vex"], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45109.json"}], "timeline": [{"lang": "en", "time": "2026-05-13T18:01:23.402Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-13T17:11:07.275Z", "value": "Made public."}], "title": "next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "x_adpType": "supplier", "x_generator": {"engine": "sadp-cli 1.0.0"}, "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T12:10:22.500Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:enterprise_linux_ai:3"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI) 3", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:trusted_artifact_signer:1"], "vendor": "Red Hat", "product": "Red Hat Trusted Artifact Signer", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:amq_streams:2"], "vendor": "Red Hat", "product": "streams for Apache Kafka 2", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:amq_streams:3"], "vendor": "Red Hat", "product": "streams for Apache Kafka 3", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-05-13T18:01:23.402Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-13T17:11:07.275Z", "value": "Made public."}], "x_adpType": "supplier", "datePublic": "2026-05-13T17:11:07.275Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-45109", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477190", "name": "RHBZ#2477190", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45109.json", "tags": ["x_sadp-csaf-vex"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "x_generator": {"engine": "sadp-cli 1.0.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Next.js. A remote unauthenticated attacker could exploit a bypass in a security fix when using middleware.ts with Turbopack. This vulnerability could lead to the disclosure of sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-358", "description": "Improperly Implemented Security Check for Standard"}]}], "providerMetadata": {"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-06-30T03:20:37.455Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-45109", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-13T18:39:20.946868Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-13T18:39:25.285Z"}}], "cna": {"title": "Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes", "source": {"advisory": "GHSA-26hh-7cqf-hhc6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": ">= 15.2.0, < 15.5.17"}, {"status": "affected", "version": ">= 16.0.0, < 16.2.6"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6", "name": "https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-13T17:11:07.275Z"}}}, "cveMetadata": {"cveId": "CVE-2026-45109", "state": "PUBLISHED", "dateUpdated": "2026-06-30T03:20:37.455Z", "dateReserved": "2026-05-08T19:27:26.699Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-05-13T17:11:07.275Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"product": "next.js", "vendor": "vercel", "versions": [{"status": "affected", "version": ">= 15.2.0, < 15.5.17"}, {"status": "affected", "version": ">= 16.0.0, < 16.2.6"}]}], "source": "security-advisories@github.com"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "555F170D-C56B-4A2E-9684-67E8F2AFD5FA", "versionEndExcluding": "15.5.18", "versionStartIncluding": "15.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FA3ADAD4-2BBF-4905-9276-A24A758EB4C8", "versionEndExcluding": "16.2.6", "versionStartIncluding": "16.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6."}], "id": "CVE-2026-45109", "lastModified": "2026-06-17T10:51:41.533", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-45109", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-05-13T18:39:20.946868Z", "version": "2.0.3"}}]}, "published": "2026-05-13T18:16:19.283", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack", "id": "2477190", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2477190"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-358", "details": ["A flaw was found in Next.js. A remote unauthenticated attacker could exploit a bypass in a security fix when using middleware.ts with Turbopack. This vulnerability could lead to the disclosure of sensitive information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-45109", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-gaudi-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Affected", "package_name": "next", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Affected", "package_name": "next", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-05-13T17:11:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-45109\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-45109\nhttps://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.2.0,15.5.17)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,16.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "next.js", "source": "cna", "vendor": "vercel"}, "product": "next.js", "vendor": "vercel"}], "created": "2026-05-13T20:00:03.749003+00:00", "updated": "2026-06-03T15:00:07.166292+00:00", "vendors": ["vercel", "vercel$PRODUCT$next.js"]}