GHSA-36qx-fr4f-26g5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-36qx-fr4f-26g5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-36qx-fr4f-26g5/GHSA-36qx-fr4f-26g5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-36qx-fr4f-26g5
- Aliases
-
- CVE-2026-44573
- Related
- Published
- 2026-05-11T15:53:51Z
- Modified
- 2026-05-13T03:44:33.136846599Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
- Details
-
Impact
Applications using the Pages Router with
i18nconfigured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less/_next/data/<buildId>/<page>.jsonrequests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.Fix
The matcher logic was updated to perform the same match as it would on a non-i18n data route.
Workarounds
If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T15:53:51Z", "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-863" ] }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next