CVE Vulnerabilities

CVE-2026-45109

Authentication Bypass Using an Alternate Path or Channel

Published: May 13, 2026 | Modified: Jul 10, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
root.io logo minimus.io logo echo.ai logo

Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.

Weakness

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Affected Software

NameVendorStart VersionEnd Version
Next.jsVercel15.2.0 (including)15.5.18 (excluding)
Next.jsVercel16.0.0 (including)16.2.6 (excluding)
Streams for Apache Kafka 2.9.4RedHatnext*
Red Hat Trusted Artifact Signer 1.4RedHatrhtas/rekor-search-ui-rhel9:1783327185*

Potential Mitigations

References