Vercel has patched 13 security vulnerabilities across Next.js and React in a coordinated May 2026 release. The advisory list covers four severity tiers and five attack categories: middleware and proxy bypass (four High, one Low), denial of service (two High, one Moderate), server-side request forgery (one High), cache poisoning (one Moderate, one Low), and cross-site scripting (two Moderate). One DoS vulnerability in React Server Components is tracked as CVE-2026-23870 upstream in the React project itself, making this a cross-ecosystem incident, not just a Next.js problem.
All Next.js 13.x and 14.x users are fully affected with no patch on those branches: the required upgrade is to 15.5.18 or 16.2.6. Next.js 15.x users on 15.5.17 or below and 16.x users on 16.2.5 or below must upgrade to their respective patched versions. React users must update react-server-dom-parcel, react-server-dom-webpack, and react-server-dom-turbopack to 19.0.6, 19.1.7, or 19.2.6 depending on their release track. Vercel has explicitly stated that no new WAF rules have been deployed because these vulnerabilities cannot be reliably blocked at the network layer.
The full advisory is worth reading beyond the patch table. The bypass chain involving App Router segment-prefetch URLs received two separate advisories, one for the original flaw and one for an incomplete prior fix, which signals that authorization logic in middleware and proxy configurations has proven structurally difficult to patch correctly. If your application uses middleware.js or proxy.js for any access control, the reasoning behind those two High-severity bypass entries is the section to study.
[READ ORIGINAL →]