---
title: "Next.js & React security release (May 2026): what to know"
description: "Twelve security vulnerabilities in Next.js and React have been disclosed: middleware bypass, XSS, SSRF, and DoS. Affected projects should upgrade."
source: "https://www.netlify.com/changelog/2026-05-08-react-nextjs-security-vulnerabilities/"
last_updated: "2026-07-01T17:56:49.000Z"
---
The Next.js and React teams have disclosed [twelve security vulnerabilities](https://github.com/vercel/next.js/security): one in React Server Components and eleven in Next.js, all patched on May 6, 2026, plus a follow-up advisory on May 7. The issues span middleware/proxy bypass, cross-site scripting (XSS), server-side request forgery (SSRF), cache poisoning, and denial of service (DoS). No detailed proof-of-concept information has been published. Here’s what Netlify customers need to know.

## Summary

If you run Next.js on Netlify, **we strongly recommend upgrading `next` to 15.5.18 or 16.2.6** and redeploying. This also brings in the patched React Server Components dependency. Projects using Pages Router with i18n and Next.js Middleware / Proxy also need [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11). If you use `react-server-dom-*` outside of Next.js, upgrade to 19.0.6 / 19.1.7 / 19.2.6 matching your React minor. See [What should I do?](#what-should-i-do) for full steps.

Netlify’s platform is **not** vulnerable to several of these CVEs. Image Optimization, WebSocket SSRF, RSC cache poisoning, and the cache-poisoned-redirect bypass do not affect Netlify projects. See [Impact on Netlify](#impact-on-netlify) for the per-CVE verdict.

## Vulnerabilities

### React (`react-server-dom-*`)

This affects `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. The Next.js advisory [GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) tracks the same issue downstream.

Vulnerability

Severity

Affected versions

Fixed in

[GHSA-rv78-f8rc-xrxh](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh) — DoS in Server Components ([CVE-2026-23870](https://www.cve.org/CVERecord?id=CVE-2026-23870))

High

19.0.0–19.0.5, 19.1.0–19.1.6, 19.2.0–19.2.5

19.0.6, 19.1.7, 19.2.6

### Next.js

All Next.js issues are patched in **15.5.18** and **16.2.6**. Earlier minors of 15.x and 16.x will not be patched; affected projects must upgrade to a patched minor.

Vulnerability

Severity

Affected versions

[GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) — DoS with Server Components

High

≥13.0.0

[GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) — Middleware / Proxy bypass in App Router via segment-prefetch routes

High

≥15.2.0

[GHSA-26hh-7cqf-hhc6](https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6) — Follow-up to [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f): incomplete fix for `middleware.ts` with Turbopack

High

≥15.2.0

[GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) — DoS via connection exhaustion in apps using Cache Components

High

≥15.0.0 (apps using Cache Components)

[GHSA-492v-c6pp-mqqv](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) — Middleware / Proxy bypass through dynamic route parameter injection

High

≥15.4.0

[GHSA-c4j6-fc7j-m34r](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) — SSRF in applications using WebSocket upgrades

High

≥13.4.13

[GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) — Middleware / Proxy bypass in Pages Router applications using i18n

High

≥12.2.0

[GHSA-ffhc-5mcf-pf4q](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) — XSS in App Router applications using CSP nonces

Medium

≥13.4.0

[GHSA-gx5p-jg67-6x7h](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) — XSS in `beforeInteractive` scripts with untrusted input

Medium

≥13.0.0

[GHSA-h64f-5h5j-jqjh](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) — DoS in the Image Optimization API

Medium

≥10.0.0

[GHSA-wfc6-r584-vfw7](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) — Cache poisoning in React Server Component responses

Medium

≥14.2.0

[GHSA-vfv6-92ff-j949](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) — Cache poisoning via collisions in React Server Component cache-busting

Low

≥13.4.6

[GHSA-3g8h-86w9-wvmq](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) — Middleware / Proxy redirects can be cache-poisoned

Low

≥12.2.0

## Impact on Netlify

### Denial of service

[GHSA-8h8q-6873-q5fj](https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj) and [GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx) are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have **minimal impact**: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs. Note that Cache Components ([GHSA-mg66-mrh9-m8jx](https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx)) is an opt-in Next.js feature that is not enabled by default. Upgrading Next.js resolves both.

[GHSA-h64f-5h5j-jqjh](https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh) affects the Next.js Image Optimization API. Netlify projects are **not affected**: this Next.js code path is not used on Netlify — image optimization is handled by [Netlify Image CDN](https://docs.netlify.com/build/image-cdn/overview/), a separate service that runs outside your project’s functions with its own protections against this class of issue.

### Middleware / proxy bypass

These four CVEs affect Next.js middleware and proxy routing. Because Netlify runs Next.js middleware via our own edge function adapter, the impact varies per CVE:

-   [GHSA-3g8h-86w9-wvmq](https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq) (cache-poisoned redirects): Netlify projects are **not affected**. Our OpenNext Netlify Next.js adapter already varies cached responses on the `x-nextjs-data` header.
-   [GHSA-492v-c6pp-mqqv](https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv) (dynamic route parameter injection): Netlify projects are **affected**, and the upstream Next.js fix applies. Upgrading Next.js resolves the issue.
-   [GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5) (Pages Router i18n bypass): Netlify projects using Pages Router with i18n and Next.js Middleware / Proxy are **affected**. The upstream Next.js patch alone does not resolve this on Netlify; a Netlify-specific fix shipped in [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11). See [how to upgrade](#what-should-i-do) below.
-   [GHSA-267c-6grr-h53f](https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f) (App Router segment-prefetch bypass) and [GHSA-26hh-7cqf-hhc6](https://github.com/vercel/next.js/security/advisories/GHSA-26hh-7cqf-hhc6) (follow-up): Netlify projects are **affected**, and the upstream Next.js fix applies. Upgrading Next.js resolves both.

### Cross-site scripting

[GHSA-ffhc-5mcf-pf4q](https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q) and [GHSA-gx5p-jg67-6x7h](https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h) are client-side XSS vulnerabilities. Regardless of hosting provider, all apps using CSP nonces in App Router or passing untrusted input to `beforeInteractive` scripts may be **vulnerable**. Upgrade Next.js to remediate.

### Server-side request forgery

[GHSA-c4j6-fc7j-m34r](https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r) affects applications using WebSocket upgrades. Netlify projects are **not affected**: Netlify Functions and Edge Functions do not support WebSocket upgrades, so this Next.js code path cannot be exercised on Netlify.

### Cache poisoning

[GHSA-wfc6-r584-vfw7](https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7) and [GHSA-vfv6-92ff-j949](https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949) affect React Server Component response caching. Netlify projects are **not affected**: Netlify’s CDN does not rely on the `_rsc` cache-busting query parameter (so collisions in it cannot poison cache entries), and it honors `Vary` on RSC-related request headers.

## What should I do?

We strongly recommend upgrading as soon as possible to patched releases:

-   **Next.js projects:** upgrade `next` to 15.5.18 or 16.2.6. This bundles the patched React Server Components dependency, so a separate `react-server-dom-*` upgrade is not needed.
-   **Direct `react-server-dom-*` users** (React Router RSC, Vite RSC plugin, custom RSC setups): upgrade `react-server-dom-webpack`, `react-server-dom-parcel`, or `react-server-dom-turbopack` to 19.0.6, 19.1.7, or 19.2.6 — matching your React minor.

For Next.js 13.x and 14.x users: patches are not planned for these versions. Consider upgrading to Next.js 15.x or 16.x.

For projects using Pages Router with i18n and Next.js Middleware / Proxy ([GHSA-36qx-fr4f-26g5](https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5)), the upstream Next.js fix does not fully apply on Netlify. The fix ships in [OpenNext Netlify Next.js adapter v5.15.11](https://github.com/opennextjs/opennextjs-netlify/releases/tag/v5.15.11):

-   Auto-installed adapter (default): redeploy.
-   Manually installed adapter: upgrade `@netlify/plugin-nextjs` to v5.15.11 and redeploy. We recommend [not pinning the adapter version](https://docs.netlify.com/build/frameworks/framework-setup-guides/nextjs/overview/#how-netlify-runs-your-nextjs-app) so future fixes ship automatically.

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).

## Resources

-   [React security advisory (GHSA-rv78-f8rc-xrxh)](https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh)
-   [CVE-2026-23870](https://www.cve.org/CVERecord?id=CVE-2026-23870)
-   [Next.js security advisories](https://github.com/vercel/next.js/security)