Primary

Context

Next.js Middleware Turbopack Proxy Bypass Vulnerability

Vulnerability

Patched

A vulnerability in Next.js middleware processing with Turbopack has been identified, allowing for proxy bypass in App Router applications. This issue arises because the fix for CVE-2026-44575 did not properly address middleware.ts when used with Turbopack. The vulnerability affects Next.js versions 15.2.0 prior to 15.5.18 and 16.0.0 prior to 16.2.6.

Impact

Exploitation of this vulnerability can lead to a proxy bypass, allowing unauthorized access to resources or segments of the application that should be restricted.

Remediation

Users can upgrade to Next.js versions 15.5.18 or 16.2.6 to address this vulnerability.

Added: May 13, 2026, 7:45 PM

Updated: May 13, 2026, 7:45 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.3

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

8.3

remediation

7.7

relevance

8.2

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Next.js Middleware Turbopack Proxy Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Vercel Next.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating