CVE-2026-44582

Description

### Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the `_rsc` cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. ### Fix We strengthened the `_rsc` cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries. ### Workarounds If you cannot upgrade immediately, ensure intermediary caches correctly honor `Vary` for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.

Affected packages (1)

• npm/next>= 13.4.6, < 15.5.16

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44582
• PATCHhttps://github.com/vercel/next.js
• WEBhttps://github.com/vercel/next.js/releases/tag/v15.5.16
• WEBhttps://github.com/vercel/next.js/releases/tag/v16.2.5
• WEBhttps://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949