Next.js May 2026 security release

Link to headingSummary

We have shipped a coordinated security release for Next.js addressing 13 advisories across denial of service, middleware and proxy bypass, server-side request forgery, cache poisoning, and cross-site scripting. One advisory addresses an upstream React Server Components vulnerability tracked as CVE-2026-23870.

Link to headingRecommended actions

Patched versions are available for both React and Next.js, and all affected users should upgrade immediately.

Link to headingImpact

The release addresses the following advisories:

Link to headingMiddleware and proxy bypass

Affects applications that rely on middleware.js or proxy.js for authorization.

High: Auth bypass via App Router segment-prefetch URL
High: App Router segment-prefetch bypass, incomplete fix follow-up
High: Pages Router i18n default-locale path bypasses proxy authorization
High: Bypass via dynamic route parameter injection
Low: Middleware redirects can be cache-poisoned

Link to headingDenial of service

Affects applications using Server Functions, Partial Prerendering with Cache Components, or the Image Optimization API.

High: DoS in React Server Components (tracked upstream as CVE-2026-23870)
High: DoS via connection exhaustion in applications using Cache Components
Moderate: DoS via the Image Optimization API

Link to headingServer-side request forgery

Affects applications that handle WebSocket upgrade requests.

High: SSRF in applications using WebSocket upgrades

Link to headingCache poisoning

Affects applications with caching layers in front of React Server Component responses.

Moderate: Cache poisoning in React Server Component responses
Low: Cache poisoning via collisions in RSC cache-busting

Link to headingCross-site scripting

Affects applications using CSP nonces in App Router, or beforeInteractive scripts that consume untrusted input.

Moderate: XSS in App Router applications using CSP nonces
Moderate: XSS in beforeInteractive scripts with untrusted input

Link to headingResolution

These vulnerabilities are addressed by the patched releases of React and Next.js. Patching is the only complete mitigation, and all affected users should upgrade immediately.

Vercel has not deployed new WAF rules for this release; these advisories cannot be reliably blocked at the WAF layer.

Link to headingAffected versions

Package	Affected	Upgrade to
Next.js `13.x`, `14.x`	`all versions`	`15.5.18` or `16.2.6`
Next.js `15.x`	`<=15.5.17`	`15.5.18`
Next.js `16.x`	`<=16.2.5`	`16.2.6`
react-server-dom-* `19.0.x`	`<=19.0.5`	`19.0.6`
react-server-dom-* `19.1.x`	`<=19.1.6`	`19.1.7`
react-server-dom-* `19.2.x`	`<=19.2.5`	`19.2.6`

Link to headingFixed in

Next.js: 15.5.18, 16.2.6
React: 19.0.6, 19.1.7, 19.2.6 for the react-server-dom-parcel, react-server-dom-webpack and react-server-dom-turbopack packages

Frameworks and bundlers using react-server-dom-* packages should install the latest versions provided by their respective maintainers.

Link to headingReferences

Upstream React advisory (CVE-2026-23870)

Agent Stack

Core Platform

Tools

Learn

Build

Explore