Vercel and the React team have fixed 13 vulnerabilities affecting Next.js and React Server Components, with three high-severity flaws drawing the most urgent attention from the security community. The issues span middleware bypasses, server-side request forgery, cross-site scripting, denial of service, and cache poisoning — a broad attack surface that touches virtually every production Next.js deployment.
Cloudflare disclosed the situation on its WAF changelog on May 7, noting that the vulnerabilities were shared with minimal advance notice, leaving investigators still working out which flaws can even be blocked at the network layer.
The three flaws likely to cause the most damage in the wild are:
CVE-2026-44574 is a middleware and proxy bypass triggered through dynamic route parameter injection. Middleware in Next.js is commonly used as the gatekeeper for authentication, so an attacker who can slip past it gains access to protected routes without ever needing valid credentials. Cloudflare confirmed that no managed WAF rule can safely block this one without risking breaking legitimate application behavior.
CVE-2026-44578 covers server-side request forgery (SSRF) in applications that handle WebSocket upgrade requests. An SSRF flaw lets an attacker trick the server into making outbound requests to internal systems — useful for cloud metadata endpoint probing or pivoting into internal infrastructure.
CVE-2026-44581 introduces a cross-site scripting vector in App Router applications that use CSP nonces. Content Security Policy nonces (single-use tokens) are specifically deployed to prevent XSS, so a flaw that turns that mechanism against users is particularly pointed in its irony.
Patched versions are available: React's server component packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) at versions 19.0.6, 19.1.7, and 19.2.6, and Next.js at 15.5.16 and 16.2.5.
For teams running Next.js on Cloudflare Workers via OpenNext, the adapter has been updated with additional hardening, though application-level Next.js dependency updates are still required.
Notably, several of the vulnerabilities are architecturally impossible to block with WAF rules alone — making patching the only real fix, not a firewall configuration.
Update (May 8, 2026): Vercel has now published the full set of security advisories on GitHub, confirming all 13 vulnerabilities across the May 6–7 disclosure.
The advisories also reveal a significant wrinkle: the fix addressing the App Router segment-prefetch middleware bypass (GHSA-267c-6grr-h53f) was found to be incomplete for Turbopack users — the fix did not apply to middleware.ts when the Turbopack bundler is in use. A follow-up advisory (GHSA-26hh-7cqf-hhc6) was published on May 7 to address this gap.
As a result, developers using Turbopack must update to Next.js 15.5.18 or 16.2.6 — one version higher than the patches originally announced. Those not using Turbopack remain protected at 15.5.16 / 16.2.5 for that specific issue. The SSRF vulnerability (GHSA-c4j6-fc7j-m34r) has been confirmed to affect only self-hosted Next.js deployments; applications hosted on Vercel's platform are not impacted.
What you should do: Update Next.js immediately to 15.5.16 or 16.2.5. If you use a React meta-framework like TanStack Start, OpenNext, or Vinext, update those too. Do not treat WAF coverage as a substitute for patching — Cloudflare itself says so.
Update: TanStack creator confirmed Cyber Kendra that the CVEs doesn't affect TanStack Start.