CVE-2026-44576 MEDIUM

CVE-2026-44576: Next.js: Cache poisoning in React Server Component responses

Vendor Vercel
Product next.js
Weakness CWE-436
Published May 13, 2026
Last update May 18, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 18, 2026 Record updated