{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-13T16:57:10Z",
  "bugzilla" : {
    "description" : "Next.js: Next.js: Cache poisoning vulnerability in React Server Components",
    "id" : "2477209",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2477209"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-444",
  "details" : [ "Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. This vulnerability is fixed in 15.5.16 and 16.2.5.", "A flaw was found in Next.js, a React framework for building web applications. This vulnerability, related to cache poisoning, affects applications utilizing React Server Components (RSC) when shared caches fail to properly partition response variants. A remote attacker can exploit this by causing an RSC response to be served from its original URL, thereby poisoning shared cache entries. As a result, subsequent visitors may receive unexpected component payloads instead of the intended HTML content." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-gaudi-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/bootc-rocm-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Fix deferred",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Fix deferred",
    "package_name" : "rhtas/rekor-search-ui-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Fix deferred",
    "package_name" : "next",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Fix deferred",
    "package_name" : "next",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-44576\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44576\nhttps://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7" ],
  "name" : "CVE-2026-44576",
  "mitigation" : {
    "value" : "To address this cache poisoning vulnerability in Next.js applications utilizing React Server Components, ensure that any shared caching mechanisms are configured to correctly partition responses. This involves defining cache keys that incorporate all relevant request parameters and headers to prevent serving incorrect content from the cache. Review the documentation for your specific caching solution (e.g., CDN, reverse proxy, or application-level cache) to implement robust cache key strategies and variant handling. Improper cache configuration can lead to an attacker poisoning cache entries, affecting subsequent users.",
    "lang" : "en:us"
  },
  "csaw" : false
}