Blog / 01

Next.js May 2026: 13 Security Flaws, Patch Now

WebRestart

On May 6–7, 2026 the Vercel team published a coordinated security release for Next.js addressing 13 advisories — one of the largest single batches in the framework's history. Several are high severity and affect self-hosted deployments in ways that WAF rules cannot reliably block.

Patching is the only complete mitigation. Update to 15.5.18 or 16.2.6 as soon as possible.

What Is Covered

The 13 advisories span five categories. One CVE (CVE-2026-23870) is tracked upstream in React Server Components; the remaining twelve are in Next.js itself.

Middleware and Proxy Bypass

Five advisories fall into this category, all rated High.

  • Auth bypass via App Router segment-prefetch URL — crafted prefetch requests could skip Middleware entirely, reaching protected routes without a valid session.
  • Segment-prefetch bypass follow-up — an incomplete fix for the above was shipped the same day, tracked as a separate advisory.
  • Pages Router i18n default-locale path bypass — the default locale path resolves before proxy authorization checks are applied.
  • Dynamic route parameter injection — injecting certain characters into dynamic segments lets attackers route around Middleware guards.
  • Middleware redirect cache poisoning (Low) — a poisoned redirect can be stored and served to subsequent visitors.

Denial of Service

Three advisories, two rated High and one Moderate.

  • React Server Components DoS (CVE-2026-23870, High) — a malformed RSC payload can exhaust server memory and crash the process.
  • Connection exhaustion via Cache Components (High) — Cache Component requests can be held open to starve the connection pool.
  • Image Optimization API DoS (Moderate) — the built-in image endpoint accepts inputs that trigger unbounded processing.

Server-Side Request Forgery

One advisory rated High: the WebSocket upgrade handler passes caller-controlled URLs through without sufficient validation, exposing internal services on self-hosted infrastructure. Vercel-hosted deployments are not affected by this particular issue.

Cache Poisoning

Two advisories.

  • RSC response poisoning (Moderate) — an attacker can seed the RSC cache with a crafted response, serving malicious data to legitimate users on subsequent requests.
  • RSC cache-busting collision (Low) — a hash collision in cache keys can cause stale or foreign responses to be served.

Cross-Site Scripting

Two advisories, both Moderate.

  • CSP nonce handling in App Router — nonces generated for Content Security Policy headers leak in ways that weaken the CSP.
  • Untrusted input in beforeInteractive scripts — unsanitized data passed to beforeInteractive Script components can execute arbitrary JavaScript.

Who Is Most at Risk

Self-hosted Next.js deployments face the broadest exposure. The SSRF vulnerability (WebSocket upgrade, GHSA-c4j6-fc7j-m34r) is confirmed to not affect apps running on Vercel's managed infrastructure, but the auth bypass and DoS issues apply regardless of hosting platform.

Versions 13.x and 14.x will not receive backport patches. Those projects must upgrade to a supported minor before they can apply these fixes.

How to Upgrade

# For Next.js 15.x
npm install next@15.5.18

# For Next.js 16.x
npm install next@16.2.6

If you use React Server Components, also update the React packages:

npm install react@19.1.7 react-dom@19.1.7 react-server-dom-webpack@19.1.7

After upgrading, revalidate cached content to clear any poisoned entries:

# Using on-demand revalidation
curl -X POST https://yoursite.com/api/revalidate

After Patching

A few extra steps are worth doing alongside the upgrade:

  1. Audit Middleware authentication logic — the bypass disclosures are a good prompt to verify that every protected route is guarded at the correct layer and not relying solely on Middleware.
  2. Review raw HTML rendering — the XSS issues surface when user-supplied data reaches dangerouslySetInnerHTML or beforeInteractive scripts; grep the codebase for both.
  3. Rate-limit the Image Optimization API — until the patch is applied (or if you need time to test), adding a rate limit at the CDN or reverse proxy level reduces DoS risk.

The full list of advisories is published in the Next.js security changelog and on the Vercel changelog. If your project is running an affected version, do not wait — upgrade today.

All posts