Originally published at devtoolpicks.com
On May 7, 2026, Vercel released coordinated security patches for Next.js addressing 13 vulnerabilities in a single batch. The affected versions are Next.js 13.x through 16.x using the App Router. The patched versions are 15.5.18 and 16.2.6.
Here is the part that most writeups are glossing over. Vercel's own advisory states that it has not deployed WAF rules for this release, and that these vulnerabilities "cannot be reliably blocked at the WAF layer." For every previous major Next.js security release going back to December 2025, Vercel pushed WAF mitigations first. This time they are not. Patching is the only fix.
If you are running a Next.js App Router application anywhere, open your terminal before you finish reading this.
What you need to do right now
For most indie hackers on a current release, this is one command:
npm install next@latest
If you are on a specific minor version and cannot upgrade to the latest:
npm install next@15.5.18 # for 15.x
npm install next@16.2.6 # for 16.x
React's server packages also need updating if you are on 19.x:
npm install react@latest react-dom@latest
For Next.js 16.1.0 and above, you can also use the built-in upgrade command:
npx next upgrade
After upgrading, redeploy your application. That is it. There is no workaround, no config change, and no WAF rule that replaces the patch.
What the 13 advisories actually cover
The vulnerabilities fall into five categories. Not all of them apply to every setup, so it is worth knowing which ones are relevant to you.
Middleware and authorization bypass (four CVEs, high severity)
This is the category most indie hackers should care about. If you are using middleware.js or a proxy layer to handle authentication or authorization in your Next.js app, these CVEs directly undermine that protection.
CVE-2026-44575 affects App Router setups where specially crafted .rsc and segment-prefetch URLs bypass middleware rules entirely. An attacker can reach protected content without triggering any authorization check. CVE-2026-44574 works through query parameter injection that alters dynamic route values, hiding the actual request path from middleware while still rendering protected data on the backend.
The Pages Router is also affected via CVE-2026-44573: locale-less /_next/data/<buildId>/<page>.json requests bypass middleware in apps using i18n configuration, allowing retrieval of server-rendered JSON for protected pages.
A fourth advisory addresses an incomplete fix from a previous release. If you already patched for an earlier middleware bypass, you need to patch again.
The practical implication: if you built auth on the assumption that Next.js middleware would catch everything, that assumption was wrong. Patching closes these holes, but after you upgrade it is worth auditing whether any authentication logic lives exclusively in middleware without a server-side fallback.
Denial of service (three CVEs, high severity)
CVE-2026-23870 tracks upstream to a React Server Components vulnerability in the Flight protocol. Crafted HTTP requests to any App Router Server Function endpoint can trigger excessive CPU usage, taking down unpatched servers. The vulnerability requires no authentication.
A second DoS path (CVE-2026-44579) targets apps using Cache Components for Partial Prerendering. Malicious POST requests create a request-body deadlock that leaves server connections open until file descriptors are exhausted. Vercel suggests blocking the Next-Resume header as a temporary mitigation for teams unable to patch immediately, but the only complete fix is upgrading.
For solo developers hosting on Vercel, the DoS impact is softened by Vercel's serverless architecture. A crashed function does not take down other requests. But it can spike your function costs, and if you are on a self-hosted setup, the impact is more severe.
SSRF via WebSocket upgrade (CVE-2026-44578, critical, self-hosted only)
This one matters most to developers self-hosting Next.js on a Node.js server. By sending crafted WebSocket upgrade requests, an unauthenticated attacker can force the server to proxy traffic to arbitrary internal or external destinations. In cloud environments, this can expose cloud metadata endpoints.
Vercel-hosted deployments are explicitly listed as unaffected by this specific CVE. If your app is on Vercel, Railway, or another platform that abstracts the server, you are not exposed here. If you are running Next.js directly on a VPS with the built-in Node.js server, this is the most critical thing to patch. The Railway vs Render vs Fly.io comparison covers the managed hosting options if you are weighing a move away from self-hosting.
Cache poisoning and XSS
The remaining advisories address cache poisoning vectors in the Image Optimization API and XSS vulnerabilities in specific rendering paths. Details are still being disclosed as the patch rollout completes, but they are fixed in 15.5.18 and 16.2.6.
Who is not affected
It is worth being specific about this, because some of the coverage is creating more alarm than necessary.
Pages Router apps: Not affected by the RSC and App Router middleware bypass vulnerabilities. Still worth upgrading for the i18n bypass and to stay current, but the critical CVEs above do not apply.
Vercel-hosted apps: Protected from the SSRF vulnerability specifically. Still affected by the middleware and DoS CVEs, so upgrading is still required.
Astro, Gatsby, and Remix apps: Not affected. These frameworks do not use React Server Components in the same way.
Client-only React apps: Not affected. The vulnerable code paths require server-side rendering.
Edge Runtime apps: Not affected by the RSC vulnerabilities. The Edge Runtime does not use the vulnerable server-side RSC implementation.
The RSC debate this is reigniting
This is the sixth or seventh time in roughly six months that a serious vulnerability has been traced back to the React Server Components protocol. Kent C. Dodds, one of the most followed educators in the React community, posted a widely discussed response to this latest batch stating that he considers RSC to have been a mistake and that he does not intend to adopt it.
His frustration has legitimate technical grounding. The RSC Flight protocol is a deserialization layer, and deserialization vulnerabilities have historically been persistent and hard to fully close. The December 2025 release fixed an incomplete patch from a previous advisory. This May 2026 release fixes another incomplete patch from January 2026. There is a pattern here.
For indie hackers making a fresh framework decision today, this context matters. RSC offers real benefits: reduced client bundle size, server-side data access without a separate API layer, simpler data fetching patterns for certain use cases. But the security surface is still being hardened, and it requires staying current on patches.
If you are on Next.js App Router because that is what your AI-assisted boilerplate generated, make sure you have a process for receiving and applying security patches. Next.js ships security updates without prior notice and recommends upgrading immediately. If your deployment process makes that difficult, that is a workflow problem worth solving now rather than after an incident.
How to check if you are running an affected version
Run this in your project directory:
npx next --version
If the output is anything below 15.5.18 on the 15.x line or below 16.2.6 on the 16.x line, you are running a version that has not received these patches. Upgrade and redeploy.
You can also check your package.json file directly:
{
"dependencies": {
"next": "^16.2.6"
}
}
If the version is pinned to an older minor (for example ^16.0.0), run npm install next@latest to get the patched version.
A note on Cloudflare WAF
Previous Next.js security releases in December 2025 and January 2026 saw Cloudflare deploy WAF rules that gave teams a temporary buffer before patching. That buffer does not exist for this release.
Vercel's advisory is explicit: these vulnerabilities "cannot be reliably blocked at the WAF layer." If you have been running behind a Cloudflare proxy with the assumption that WAF rules catch Next.js vulnerabilities before you patch, that approach worked for the earlier CVEs but does not work here.
The Vercel vs Hetzner comparison covers the self-hosting tradeoffs in more depth if you are thinking about infrastructure setup, but regardless of where your app runs, the action item is the same: upgrade Next.js.
FAQ
Do I need to upgrade if I am on Vercel and only using the Pages Router?
You are not affected by the most critical CVEs, but upgrading is still recommended. The i18n bypass (CVE-2026-44573) affects Pages Router apps with internationalization enabled, and staying on a patched version protects you from future vulnerabilities that may affect your setup. Run npm install next@latest and redeploy.
My app uses App Router but I handle auth in the backend, not in middleware. Am I still at risk?
If your authorization logic runs on the server and does not depend on middleware to be the sole gatekeeper, your security posture is stronger. The middleware bypass CVEs specifically affect setups where middleware is the primary or only place authorization is enforced. Server-side auth checks (checking session or token in each route handler) are not bypassed by these vulnerabilities.
Do I need to patch React packages separately from Next.js?
Next.js packages the correct React version in most cases, but if you have explicit React dependencies in your package.json, update those too: npm install react@latest react-dom@latest. For the react-server-dom packages, the patched versions are 19.0.6, 19.1.7, and 19.2.6 depending on your React minor.
Is Next.js still worth using after this run of CVEs?
Yes, for most use cases. The framework is genuinely useful, the Vercel team has been responsive in coordinating disclosures and patches, and the App Router offers real productivity benefits for the right project. The question is whether you can maintain a consistent upgrade cadence. If your deployment process makes applying security patches slow or difficult, that is the actual problem to address.
I am building a new project. Should I use the App Router?
If you are on Next.js, yes. The Pages Router is in maintenance mode. The more honest question is whether Next.js is the right framework for your project at all. If you are building a server-rendered app and you want the ecosystem and community, Next.js is still a strong choice. If you want a simpler mental model for a small SaaS, frameworks like Remix or SvelteKit involve less complexity.
What to do
Run npm install next@latest and redeploy. That covers you for all 13 advisories. If you are self-hosting on a VPS and cannot patch immediately, block the Next-Resume header at your edge proxy as a partial mitigation for the cache deadlock CVE, but treat it as temporary. There is no substitute for patching.
The pattern of recurring RSC vulnerabilities is a real thing worth watching. It does not mean Next.js is broken. It does mean the RSC protocol is still being hardened, and staying on a current patch version is more important now than it was two years ago.
