What Happened
CVE-2026-44575 allows attackers to bypass middleware-based authorization controls in Next.js App Router applications through manipulated request paths. The vulnerability affects Next.js versions 15.2.0 through 15.5.15 and 16.0.0 through 16.2.4. When exploited, protected routes become accessible without triggering authentication checks, exposing resources that developers assumed were secured by middleware.
The attack works by crafting specific request paths that the App Router processes differently than the middleware layer expects. Your middleware executes, validates nothing suspicious, and allows the request through—but the router then serves a protected resource that should have been blocked.
Timeline
The public disclosure timeline for this vulnerability remains limited. What we know: the CVE was assigned and patches were released for affected versions. Organizations running Next.js in the affected version ranges had their middleware-protected routes exposed until they upgraded or implemented compensating controls.
Unlike traditional web server vulnerabilities where exploitation requires complex payloads, this bypass requires only path manipulation—attackable by anyone who can send HTTP requests to your application.
Which Controls Failed or Were Missing
The primary failure: treating middleware as a complete security boundary. Three specific control gaps enabled this vulnerability:
Authorization implemented only at the middleware layer. Route handlers contained no independent authorization checks. They assumed that if code execution reached them, authorization had already passed. When the middleware bypass worked, these handlers served protected data to unauthenticated requests.
No defense-in-depth for access control. A single authorization check—regardless of where it sits—creates a single point of failure. Your authentication logic should not trust that previous layers succeeded. Each handler processing sensitive data needs its own authorization verification.
Missing request path normalization validation. The middleware and router interpreted paths differently. This parsing discrepancy—where one component normalizes /api/admin and another processes /api//admin as distinct—created the bypass opportunity. Your security controls must validate that path interpretation remains consistent across all processing layers.
What the Relevant Standards Require
OWASP ASVS v4.0.3 Section 4.1.2 requires that access control enforcement happens at a trusted service layer, not just at the presentation or routing layer. Middleware sits between these layers. The standard specifically warns against relying on client-controllable data—including URL paths—for security decisions without server-side validation.
PCI DSS v4.0.1 Requirement 6.4.3 mandates that applications prevent common attacks, explicitly including authorization bypass. The requirement's intent statement clarifies that access controls must be "enforced on the server side" and "not be able to be bypassed." A middleware layer that can be circumvented through path manipulation fails this requirement.
OWASP Top 10 2021 A01:2021 – Broken Access Control identifies broken access control as the most critical web application security risk. The category specifically includes "bypassing access control checks by modifying the URL." CVE-2026-44575 is a textbook example: attackers modify request paths to circumvent middleware authorization, accessing resources without proper authentication.
ISO/IEC 27001:2022 Control 8.3 requires that access to information and systems be restricted based on business and security requirements. When middleware bypass allows unauthorized access to protected routes, you're not meeting this control. The control requires "appropriate access control" that actually prevents unauthorized access—not access control that appears to work until someone manipulates a path.
For SOC 2 Type II compliance, this vulnerability creates problems across multiple Trust Services Criteria. CC6.1 requires logical access controls to prevent unauthorized access. CC6.6 requires that access control rules be enforced. A middleware bypass that grants access to protected resources violates both criteria. Your auditor will want evidence that authorization checks happen at multiple layers, not just in middleware.
Lessons and Action Items for Your Team
Stop treating middleware as your authorization layer. Implement authorization checks directly in every route handler that processes sensitive data. Your API routes should validate tokens, check permissions, and verify user context before executing business logic—regardless of what middleware already ran.
Here's the pattern: middleware handles cross-cutting concerns like logging, rate limiting, and request validation. Route handlers own authorization for the resources they expose. This creates defense-in-depth where path manipulation bypasses become irrelevant because the handler independently verifies authorization.
Audit your current Next.js applications for middleware-only authorization. Search your codebase for route handlers that access databases, call internal APIs, or return user data without their own authorization checks. These handlers assume middleware protection worked. Add explicit authorization validation to each one.
Implement request path normalization validation. Before your middleware makes authorization decisions based on paths, normalize them using the same logic your router uses. If you cannot guarantee consistent path interpretation across layers, add validation that rejects requests with path anomalies—multiple slashes, encoded characters in unexpected positions, or trailing path segments.
For applications you cannot immediately patch: AppTrana and similar Web Application Firewalls offer virtual patching rules that detect and block the specific path manipulation patterns used in CVE-2026-44575 exploits. This is a temporary mitigation, not a permanent fix. Virtual patching buys you time to upgrade but does not address the architectural problem of middleware-only authorization.
Update your secure development standards. Add a requirement that all route handlers processing sensitive resources must implement independent authorization checks. Make this a code review checkpoint. Your CI/CD pipeline should flag handlers that access protected resources without authorization validation.
Test for authorization bypass vulnerabilities regularly. Add test cases that attempt to access protected routes using path manipulation techniques—double slashes, encoded characters, case variations, trailing slashes. Your security testing should verify that authorization fails at the handler level even when middleware is bypassed.
The core lesson: middleware is infrastructure, not a security boundary. Authorization belongs in the code that protects resources, not in the routing layer that delivers requests to that code.
CVE Details
