This emergency release introduces a new rule to detect Next.js App Router middleware and proxy bypass attempts via segment-prefetch routes (CVE-2026-44575).
Key Findings
CVE-2026-44575: Next.js Middleware / Proxy Bypass in App Router Applications via Segment-Prefetch Routes
Successful exploitation allows unauthenticated attackers to bypass middleware or proxy-based authorization checks in affected Next.js App Router applications. This leads to unauthorized access to protected content, potential exposure of sensitive application data, and compromise of application security boundaries.
We strongly recommend upgrading to Next.js 15.5.16 or 16.2.5 (or later) immediately to address the underlying vulnerability. If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.
| Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments |
|---|---|---|---|---|---|---|
| Cloudflare Managed Ruleset | 1de95bf6d6374e1099854278e77e4a53 | N/A | Next.js – Middleware Bypass via Invalid RSC Header – CVE:CVE-2026-44575 | N/A | Disabled | This is a new detection. |
Source: Cloudflare
Latest Posts
- Power Apps- Enhance row summaries in model-driven apps [MC1324999]
- Microsoft Power Automate – Configure notifications for desktop flow checker in admin portal [MC1324990]
- Power Automate – View property value expanded inline in the new cloud flow designer [MC1324868]
- Microsoft Power Automate – Export object-centric process mining data to Microsoft Fabric semantic model [MC1325013]
![SharePoint News web part: New Filmstrip layout and multi-site news support [MC1303716]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-cottonbro-9668883-96x96.webp "SharePoint News web part: New Filmstrip layout and multi-site news support [MC1303716] 6")
