This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575).
Key Findings
CVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes
Successful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries.
We strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | 1de95bf6d6374e1099854278e77e4a53 | N/A | Next.js – Middleware Bypass via Invalid RSC Header – CVE:CVE-2026-44575 | N/A | Disabled | This is a new detection. |
Source: Cloudflare
Latest Posts
- AWS Secrets Manager introduces safe secrets handling in the Agent Toolkit for AWS
- Microsoft Entra: New service plans for Conditional Access and ID Protection for agents [MC1395007]
- (Updated) Outlook Mobile: Follow a meeting option [MC1248393]
- Dynamics 365 Customer Service – Enable question-level weighting for quality evaluation scoring [MC1395008]
![SharePoint News web part: New Filmstrip layout and multi-site news support [MC1303716]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-cottonbro-9668883-96x96.webp "SharePoint News web part: New Filmstrip layout and multi-site news support [MC1303716] 6")
