Bug 2477199 (CVE-2026-44573)

Summary: CVE-2026-44573 next.js: Next.js: Information disclosure due to middleware bypass in Pages Router with i18n
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbrownin, chfoley, eborisov, gotiwari, jgrulich, jhorak, kaycoth, lball, mvyas, ngough, rgodfrey, rhel-process-autobot, swoodman, tpopela, veshanka, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Next.js. Applications utilizing the Pages Router with internationalization (i18n) configured and middleware or proxy-based authorization are susceptible to unauthorized access. A remote attacker can exploit this by making locale-less /_next/data/<buildId>/<page>.json requests, which bypass the intended authorization checks. This allows the attacker to retrieve sensitive server-side rendered (SSR) JSON data from protected pages, leading to information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2484248, 2484250, 2484263, 2484237, 2484252, 2484262, 2484267    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-13 18:02:13 UTC
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. This vulnerability is fixed in 15.5.16 and 16.2.5.

Comment 2 errata-xmlrpc 2026-07-02 00:04:51 UTC
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.4

Via RHSA-2026:34608 https://access.redhat.com/errata/RHSA-2026:34608