Next.js May 2026 security release - Vercel

2 min read Original article ↗

Copy link to headingSummary

We have shipped a coordinated security release for Next.js addressing 13 advisories across denial of service, middleware and proxy bypass, server-side request forgery, cache poisoning, and cross-site scripting. One advisory addresses an upstream React Server Components vulnerability tracked as CVE-2026-23870.

Copy link to headingRecommended actions

Patched versions are available for both React and Next.js, and all affected users should upgrade immediately.

Copy link to headingImpact

The release addresses the following advisories:

Copy link to headingMiddleware and proxy bypass

Affects applications that rely on middleware.js or proxy.js for authorization.

Copy link to headingDenial of service

Affects applications using Server Functions, Partial Prerendering with Cache Components, or the Image Optimization API.

Copy link to headingServer-side request forgery

Affects applications that handle WebSocket upgrade requests.

Copy link to headingCache poisoning

Affects applications with caching layers in front of React Server Component responses.

Copy link to headingCross-site scripting

Affects applications using CSP nonces in App Router, or beforeInteractive scripts that consume untrusted input.

Copy link to headingResolution

These vulnerabilities are addressed by the patched releases of React and Next.js. Patching is the only complete mitigation, and all affected users should upgrade immediately.

Vercel has not deployed new WAF rules for this release; these advisories cannot be reliably blocked at the WAF layer.

Copy link to headingAffected versions

Copy link to headingFixed in

Frameworks and bundlers using react-server-dom-* packages should install the latest versions provided by their respective maintainers.

Copy link to headingReferences