CVE-2026-44582: Next.js: Cache poisoning via collisions in React Server Component cache-busting

Published May 11, 2026
·
Updated

### Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the `_rsc` cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. ### Fix We strengthened the `_rsc` cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries. ### Workarounds If you cannot upgrade immediately, ensure intermediary caches correctly honor `Vary` for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

Affected Software

4 affected componentsFixes available
npm/next>=16.0.0<16.2.5
16.2.5
npm/next>=13.4.6<15.5.16
15.5.16
Vercel Next.js Node.js>=13.4.6<15.5.16
Vercel Next.js Node.js>=16.0.0<16.2.5

Event History

May 11, 2026
Advisory Published
via GitHub·03:56 PM
Data Sourced
via GitHub·03:56 PM
DescriptionSeverityWeaknessAffected Software
May 13, 2026
CVE Published
via MITRE·05:08 PM
Data Sourced
via MITRE·05:08 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-44582?

CVE-2026-44582 has a medium severity rating due to the potential risk of cache poisoning affecting application responses.

2

How do I fix CVE-2026-44582?

To mitigate CVE-2026-44582, upgrade Next.js to version 16.2.5 or 15.5.16.

3

What systems are affected by CVE-2026-44582?

CVE-2026-44582 affects Next.js versions between 13.4.6 and 16.2.5, as well as various Node.js deployments.

4

What type of vulnerability is CVE-2026-44582?

CVE-2026-44582 is classified as a cache poisoning vulnerability resulting from insufficient response partitioning in React Server Components.

5

Is CVE-2026-44582 being actively exploited?

There are currently no reported active exploits for CVE-2026-44582, but it is recommended to apply the fix promptly.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203