Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

RSS Feed HIGH
GHSA-267c-6grr-h53f CVE-2026-44575
Description:

Impact

App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.

Fix

We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.

Workarounds

If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

Affected Packages
Ecosystem Package Vulnerable Versions Patched Version
npm next >= 16.0.0, < 16.2.5
>= 15.2.0, < 15.5.16
 16.2.5
Related Dependabot Pull Requests
All Open Closed Merged
chore(deps): bump the majors group with 4 updates
Open about 4 hours ago
desko27/react-call #104
npm:astro npm:next +2 more
desko27
Bump next from 16.1.7 to 16.2.7 in /templates/next-app
Open about 6 hours ago
kimkhoi2202/prism-shadcn #28
npm:next
kimkhoi2202
deps(deps): bump next from 15.5.18 to 16.2.7
Open about 6 hours ago
ellisapotheosis/Project-Nyra #536
npm:next
ellisapotheosis
npm(deps-dev): bump the development-dependencies group with 10 updates
Open about 7 hours ago
FreeForCharity/FFC-EX-bearupinternationalministries.org #9
npm:@tailwindcss/postcss npm:prettier +8 more
FreeForCharity
chore(deps): bump the production-dependencies group across 1 directory with 15 updates
Open about 7 hours ago
alexanderovie/integrity2025 #52
npm:lucide-react npm:react-dom +13 more
alexanderovie
npm(deps-dev): bump the development-dependencies group across 1 directory with 10 updates
Open about 7 hours ago
FreeForCharity/FFC-EX-nittanypost245.org #115
npm:@types/node npm:@tailwindcss/postcss +7 more
FreeForCharity
Bump eslint-config-next from 16.0.1 to 16.2.7
Closed about 9 hours ago
veeradyani222/aero #24
npm:eslint-config-next
veeradyani222
npm(deps): bump the minor-and-patch group across 1 directory with 7 updates
Open about 10 hours ago
Sam-Ciber-Dev/eyeweb #36
npm:@types/node npm:next +4 more
Sam-Ciber-Dev
chore(deps): bump the npm_and_yarn group across 8 directories with 3 updates
Closed about 11 hours ago
dporkka/mastra #45
npm:vitest npm:next +1 more
dporkka
Bump the npm_and_yarn group across 1 directory with 7 updates
Open about 11 hours ago
Connect-Me-Tutoring/connect-me-tutor-portal #633
npm:vitest npm:axios +5 more
Connect-Me-Tutoring
chore(deps): bump next from 15.5.18 to 16.2.7
Open about 11 hours ago
lssmanager/OCTO #248
npm:next
lssmanager
chore(deps): Bump the npm_and_yarn group across 19 directories with 7 updates
Closed about 11 hours ago
Dev-moe-kyawaung/turborepo #5
npm:vitest npm:vite +3 more
Dev-moe-kyawaung
Bump the next-react group across 1 directory with 4 updates
Open about 11 hours ago
michaelrose01795/hnpsystem #43
npm:react-dom npm:next +2 more
michaelrose01795
Bump the npm_and_yarn group across 6 directories with 2 updates
Open about 12 hours ago
OpenZeppelin/openzeppelin-sui-marketplace #123
npm:vitest npm:next
OpenZeppelin
chore(deps): bump the npm_and_yarn group across 17 directories with 9 updates
Open about 12 hours ago
danielbodnar/templates #68
npm:vitest npm:astro +4 more
danielbodnar
chore(deps): bump the npm_and_yarn group across 30 directories with 4 updates
Open about 13 hours ago
EmilynnJ/CopilotKit #2
npm:vitest npm:next
EmilynnJ
chore(deps): bump the npm_and_yarn group across 22 directories with 7 updates
Closed about 13 hours ago
c6ai/langchainjs #25
npm:vitest npm:webpack-dev-server +3 more
c6ai
chore(deps)(deps): bump the npm-minor-and-patch group across 1 directory with 9 updates
Open about 14 hours ago
Jimmy6929/Molebie_AI #61
npm:@types/node npm:@types/react +6 more
Jimmy6929
chore(deps): bump the npm_and_yarn group across 6 directories with 3 updates
Closed about 16 hours ago
ComposioHQ/agent-orchestrator #2081
npm:vitest npm:next +1 more
ComposioHQ
chore(deps): bump the npm_and_yarn group across 7 directories with 2 updates
Closed about 17 hours ago
Phoenixrr2113/agent #123
npm:vitest npm:next
Phoenixrr2113
build(deps): bump the npm_and_yarn group across 1 directory with 11 updates
Closed about 18 hours ago
steffenkoenig/sketchgit #189
npm:next npm:dompurify +8 more
steffenkoenig
Bump eslint-config-next from 15.5.18 to 16.2.6
Open 1 day ago
D4M13N-D3V/portfolio_v2 #13
npm:eslint-config-next
D4M13N-D3V
chore(deps)(deps-dev): bump eslint-config-next from 15.5.18 to 16.2.6 in /web
Open 1 day ago
sheep-programmer/AIForge #21
npm:eslint-config-next
sheep-programmer
chore(deps): Bump next from 16.1.6 to 16.2.6
Open 1 day ago
nakamura196/iiif-annotator #3
npm:next
nakamura196
Bump next from 15.3.2 to 15.5.18 in /web in the npm_and_yarn group across 1 directory
Open 1 day ago
NightVibes33/wall-pics-ios #2
npm:next
NightVibes33
build(deps): bump the all-dependencies group across 1 directory with 18 updates
Open 1 day ago
jatinkumarsingh/Doctor_Appointment #5
npm:zod npm:lucide-react +15 more
jatinkumarsingh
build(deps): bump next from 16.2.1 to 16.2.6
Open 1 day ago
FINAL-FIGHT-COMBAT/FFC-APP #12
npm:next
FINAL-FIGHT-COMBAT
chore(deps): bump the next group with 2 updates
Open 1 day ago
fuzzynutsxrp-ship-it/fuzzynuts.xyz #11
npm:next npm:eslint-config-next
fuzzynutsxrp-ship-it
chore(deps-dev)(deps-dev): bump the development-minor-patch group with 5 updates
Open 1 day ago
aiinkiestism/hashmimic-v2 #9
npm:@tailwindcss/postcss npm:eslint-config-next +3 more
aiinkiestism
npm(dev): bump eslint-config-next from 15.5.4 to 16.2.6
Open 1 day ago
TakuyaFukumura/blog-next-js-app #69
npm:eslint-config-next
TakuyaFukumura
npm: bump next from 16.2.4 to 16.2.6
Open 1 day ago
TakuyaFukumura/divichart-next-js-app #192
npm:next
TakuyaFukumura
npm(dev): bump eslint-config-next from 15.5.4 to 16.2.6
Open 1 day ago
TakuyaFukumura/visuasset-next-js-app #67
npm:eslint-config-next
TakuyaFukumura
chore(deps): bump the next group with 2 updates
Closed 1 day ago
wannysim/mumak-www #355
npm:next npm:@next/bundle-analyzer
wannysim
build(deps): bump the npm_and_yarn group across 4 directories with 3 updates
Open 1 day ago
lwhite702/DRX_Primary #91
npm:next npm:@clerk/nextjs
lwhite702
build(deps): bump the npm_and_yarn group across 3 directories with 4 updates
Open 1 day ago
lwhite702/DRX_Primary #90
npm:axios npm:next +2 more
lwhite702
build(deps): bump the npm_and_yarn group across 4 directories with 6 updates
Open 1 day ago
luckyhegde6/gardenVerse #2
npm:next npm:uuid +3 more
luckyhegde6
feat(deps): Bump the npm_and_yarn group across 14 directories with 4 updates
Open 1 day ago
SherfeyInv/sentry-javascript #245
npm:next npm:nuxt +1 more
SherfeyInv
feat(deps): Bump the npm_and_yarn group across 17 directories with 5 updates
Closed 1 day ago
SherfeyInv/sentry-javascript #240
npm:astro npm:next +3 more
SherfeyInv
chore(deps): bump the minor-and-patch group across 1 directory with 13 updates
Open 1 day ago
bajajvinamr/sales-agent-publisher #59
npm:vitest npm:lucide-react +10 more
bajajvinamr
deps(deps-dev): bump eslint-config-next from 14.2.35 to 16.2.6
Open 1 day ago
iamjohnnymac/perthpintprices #111
npm:eslint-config-next
iamjohnnymac
build(deps): bump next from 16.0.10 to 16.2.6
Open 1 day ago
4Furki4/Turkce-Sozluk #187
npm:next
4Furki4
Bump the production-dependencies group across 1 directory with 4 updates
Closed 1 day ago
Tonkic/Tonkic.github.io #9
npm:@types/node npm:next +2 more
Tonkic
Build(deps): Bump the npm_and_yarn group across 1 directory with 5 updates
Closed 1 day ago
BEKO2210/HinSchG #43
npm:vitest npm:vite +3 more
BEKO2210
Bump next from 15.5.18 to 16.2.6 in /apps/web
Closed 1 day ago
AceWang377/AceProductStudio #7
npm:next
AceWang377
build(deps): Bump next from 15.1.3 to 15.5.18 in /apps/web
Closed 1 day ago
LuisDiazData/Olimpo #1
npm:next
LuisDiazData
chore(deps): bump next from 14.2.35 to 15.5.18
Closed 2 days ago
camster91/family-planner #15
npm:next
camster91
Bump next from 15.5.18 to 16.2.6 in the production-dependencies group
Open 2 days ago
dperezarbues/CVault #7
npm:next
dperezarbues
chore(deps): Bump next from 15.5.18 to 16.2.6
Open 2 days ago
makedirectory/aws-flow-builder #11
npm:next
makedirectory
Bump the npm_and_yarn group across 2 directories with 3 updates
Open 2 days ago
tranquilitybase07/billingos #47
npm:next npm:yaml +1 more
tranquilitybase07
chore(deps)(deps-dev): bump the development-dependencies group across 1 directory with 11 updates
Open 2 days ago
Kushalitha/next-resume-pro #84
npm:vitest npm:@types/node +8 more
Kushalitha
Actions
View on GitHub All Advisories
Advisory Details
Published: May 11, 2026 22 days ago
Updated: May 23, 2026 10 days ago
CVSS Score: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.05% 17th percentile
Source: Github
Classification: GENERAL
UUID: GSA_kwCzR0hTQS0yNjdjLTZncnItaDUzZs4ABWkK
PR Statistics
PR Status
Open 1157 (63.6%)
Merged 0 (0.0%)
Closed 662 (36.4%)
Update Types
Major 1606 (17.9%)
Minor 3654 (40.6%)
Patch 3709 (41.2%)
References