Is CVE-2026-23869 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-23869 is not currently listed in the CISA KEV catalog.

Which frameworks does CVE-2026-23869 affect?

CVE-2026-23869 affects Next.js, React.

Vulnerability intelligence

CVE-2026-23869

State-changing operations triggered by link clicks and browser prefetch. The RSC boundary is thinner than it looks.

Next.js React 2026

What WebPulse reported · 3 analyses

RedwoodSDK Server Functions Accept GET Requests. The RSC Boundary Problem.

State-changing operations triggered by link clicks and browser prefetch. The RSC boundary is thinner than it looks.

June 22, 2026

React Server Components Carry a DoS Flaw. Every RSC Framework Inherits It.

CVE-2026-23869 scores CVSS 7.5. A cyclic payload in React Flight protocol exhausts CPU for 60 seconds per request.

June 21, 2026

Next.js Authorization Bypass: A Crafted Query Parameter Changes Your Route Without Changing the URL. CVE-2026-44574.

Specially crafted query parameters alter dynamic route values while leaving the visible URL path unchanged, bypassing middleware-based authorization in Next.js

June 15, 2026

View CVE-2026-23869 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-44580 CVE-2026-44578 CVE-2026-44574 CVE-2025-29927 CVE-2025-55182 CVE-2025-11953 CVE-2026-9082 CVE-2026-8206