If exploited, this vulnerability allows an attacker to access pages, APIs, or data that your application is designed to restrict to authenticated or authorized users — without a valid login. For customer-facing applications, this could mean unauthorized access to account data, private content, or administrative functions. Organizations in regulated industries where web applications handle personal, financial, or health data face elevated compliance exposure if unauthorized access is confirmed.
You Are Affected If
You run Next.js (npm package 'next') with App Router enabled in production
Your application uses Next.js middleware to enforce authentication or authorization on one or more routes
The affected application is internet-facing or accessible to untrusted users
You have not applied the patched Next.js version confirmed in GHSA-267c-6grr-h53f
You do not have a WAF (such as Cloudflare with the 2026-05-07 emergency rule) in front of the application as a compensating control
Board Talking Points
A high-severity flaw in the Next.js web framework allows attackers to bypass login and access controls on affected applications without credentials.
Engineering teams should identify and patch all Next.js App Router applications immediately, prioritizing internet-facing systems within 24-48 hours.
Without action, protected application data and functionality may be accessible to any external attacker, creating direct data exposure and regulatory risk.
