Back to blog
CVEtechnicalvulnerabilities

CVE-2026-32541: Next.js middleware bypass — analysis and fix

Published on 2026-06-056 min readCleanIssue

The vulnerability

CVE-2026-32541, published in late May 2026, affects Next.js applications using middleware for authentication and authorization. An attacker could bypass middleware by manipulating request headers, accessing protected pages without authentication.

Affected versions: Next.js 14.0 to 15.2.3

Severity: Critical (CVSS 9.1)

Fix: Next.js 15.2.4+

How it works

Next.js middleware runs at the edge, before page rendering. Many SaaS vendors use it for authentication checks:

```typescript

// middleware.ts

export function middleware(request: NextRequest) {

const token = request.cookies.get('session')

if (!token) {

return NextResponse.redirect(new URL('/login', request.url))

}

}

`

The vulnerability exploited an undocumented behavior: by sending an x-middleware-prefetch header with a specific value, the middleware was completely skipped. The request reached the protected page directly.

Impact for HR SaaS

If your Next.js application uses middleware as the only authentication layer (which is common), an attacker could:

  • Access admin dashboards
  • View employee data without logging in
  • Reach API endpoints protected only by middleware

    • Several of our clients were affected. We alerted them within 24 hours of the CVE publication.

    How to check if you're affected

  • Check your Next.js version: cat package.json | grep next
  • If you're below 15.2.4, you're potentially vulnerable
  • Test: send a request to a protected page with the x-middleware-prefetch: 1 header. If you get the page instead of a redirect, you're vulnerable

    • Fix

    Short term

    Update Next.js immediately:

    ```bash

    npm install next@latest

    `

    Long term

    Never rely on a single security layer. Middleware is convenient for redirects, but authorization should also be verified:

  • In your Server Components (check the session)
  • In your Route Handlers / API Routes (check the token)
  • In your database (RLS policies if using Supabase)

    • Defense in depth means exactly that: even if one layer is compromised, the others hold.

    The role of auditing

    This CVE illustrates why regular auditing is necessary. During our Next.js audits, we systematically check that authentication isn't solely carried by middleware. We test known bypasses and verify defense in depth is in place.

    Related articles

    Three adjacent analyses to keep exploring the same attack surface.

    Firebasetechnical

    Firebase Firestore: why 'allow read, write: if request.auth != null' is not security

    The basic Firestore authentication rule doesn't protect your data. Here's why and how to fix it.

    2026-03-25 · 6 min read
    CVE2026

    Critical vulnerabilities 2026: CVEs affecting your stack

    Laravel, WordPress, Supabase, Node.js — critical vulnerabilities identified in 2026.

    2026-04-09 · 7 min read
    WordPresstechnical

    WordPress REST API: 7 dangerous endpoints enabled by default

    Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.

    2026-04-03 · 6 min read

    Sources

    Written by CleanIssue
    Reviewed on 2026-06-05

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Next.js Audit

    Check middleware, auth, handlers, and public bundles in the production app users actually get.

    External Review

    Get a fast, clear read on your product’s real external exposure.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit