{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45109","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-08T19:27:26.699Z","datePublished":"2026-05-13T17:11:07.275Z","dateUpdated":"2026-07-07T12:04:52.845Z"},"containers":{"cna":{"title":"Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes","problemTypes":[{"descriptions":[{"cweId":"CWE-288","lang":"en","description":"CWE-288: Authentication Bypass Using an Alternate Path or Channel","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6","tags":["x_refsource_CONFIRM"],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6"}],"affected":[{"vendor":"vercel","product":"next.js","versions":[{"version":">= 15.2.0, < 15.5.17","status":"affected"},{"version":">= 16.0.0, < 16.2.6","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-13T17:11:07.275Z"},"descriptions":[{"lang":"en","value":"Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6."}],"source":{"advisory":"GHSA-26hh-7cqf-hhc6","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-13T18:39:20.946868Z","id":"CVE-2026-45109","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-13T18:39:29.674Z"}},{"affected":[{"cpes":["cpe:/a:redhat:amq_streams:2.9::el9"],"defaultStatus":"affected","product":"Streams for Apache Kafka 2.9.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:trusted_artifact_signer:1"],"defaultStatus":"affected","product":"Red Hat Trusted Artifact Signer","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:3"],"defaultStatus":"affected","product":"streams for Apache Kafka 3","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"}],"datePublic":"2026-05-13T17:11:07.275Z","descriptions":[{"lang":"en","value":"A flaw was found in Next.js. A remote unauthenticated attacker could exploit a bypass in a security fix when using middleware.ts with Turbopack. This vulnerability could lead to the disclosure of sensitive information."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-358","description":"Improperly Implemented Security Check for Standard","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-45109"},{"name":"RHBZ#2477190","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2477190"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45109.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34608"}],"solutions":[{"lang":"en","value":"RHSA-2026:34608: Streams for Apache Kafka 2.9.4"}],"timeline":[{"lang":"en","time":"2026-05-13T18:01:23.402Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-13T17:11:07.275Z","value":"Made public."}],"title":"next.js: Next.js: Information disclosure via security fix bypass in middleware with Turbopack","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-07T12:04:52.845Z"}}]}}