Is CVE-2026-44574 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-44574 is not currently listed in the CISA KEV catalog.

Which frameworks does CVE-2026-44574 affect?

CVE-2026-44574 affects Next.js.

Vulnerability intelligence

CVE-2026-44574

Specially crafted query parameters alter dynamic route values while leaving the visible URL path unchanged, bypassing middleware-based authorization in Next.js 13.0 through 15.5.15 and 16.x before 16.2.5. A separate CVE-2026-23869 enables memory exhaustion DoS via React Server Components. Astro, Svelte, and Hugo are not affected.

Next.js 2026

What WebPulse reported · 1 analysis

Next.js Authorization Bypass: A Crafted Query Parameter Changes Your Route Without Changing the URL. CVE-2026-44574.

Specially crafted query parameters alter dynamic route values while leaving the visible URL path unchanged, bypassing middleware-based authorization in Next.js

June 15, 2026

View CVE-2026-44574 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-23869 CVE-2026-44580 CVE-2026-44578 CVE-2025-29927 CVE-2026-9082 CVE-2026-8206 CVE-2026-48019 CVE-2026-35273