CVE-2026-44572

LOW
Published May 13, 2026 Modified May 15, 2026 CWE-349

Description

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.

CVSS v3.1 Score

3.7
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS — Exploit Prediction

0.0001
Probability of exploitation
0.01%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-349 CWE-349

Affected Products

Vendor Product
vercel next.js
vercel next.js

References

Frequently Asked Questions

What is CVE-2026-44572? +
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5. It has a CVSS v3.1 base score of 3.7 (LOW).
How severe is CVE-2026-44572? +
CVE-2026-44572 has a CVSS v3.1 score of 3.7 out of 10, rated LOW. This is a low-severity vulnerability with limited impact. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-44572? +
CVE-2026-44572 affects products from vercel, specifically: next.js. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-44572? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-1680

An acceptance of extraneous untrusted data with trusted data vulnerability has been identified in Moxa’s Ethernet switches, which allows attackers …
CVE-2025-11411

NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that …
CVE-2025-5994

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). …
CVE-2026-42960 10.0

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. …
CVE-2024-25638 8.9

dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the …
CVE-2025-40776 8.6

A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-44572 — free, no signup required.

Start Free Scan