Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-13T16:57:10 Next.js: Next.js: Cache poisoning vulnerability in React Server Components 5.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L CWE-444

A flaw was found in Next.js, a React framework for building web applications. This vulnerability, related to cache poisoning, affects applications utilizing React Server Components (RSC) when shared caches fail to properly partition response variants. A remote attacker can exploit this by causing an RSC response to be served from its original URL, thereby poisoning shared cache entries. As a result, subsequent visitors may receive unexpected component payloads instead of the intended HTML content.

To address this cache poisoning vulnerability in Next.js applications utilizing React Server Components, ensure that any shared caching mechanisms are configured to correctly partition responses. This involves defining cache keys that incorporate all relevant request parameters and headers to prevent serving incorrect content from the cache. Review the documentation for your specific caching solution (e.g., CDN, reverse proxy, or application-level cache) to implement robust cache key strategies and variant handling. Improper cache configuration can lead to an attacker poisoning cache entries, affecting subsequent users. Red Hat Enterprise Linux 10 Fix deferred firefox Red Hat Enterprise Linux 10 Fix deferred thunderbird Red Hat Enterprise Linux 7 Fix deferred firefox Red Hat Enterprise Linux 8 Fix deferred firefox Red Hat Enterprise Linux 8 Fix deferred thunderbird Red Hat Enterprise Linux 9 Fix deferred firefox Red Hat Enterprise Linux 9 Fix deferred thunderbird Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/bootc-cuda-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/bootc-gaudi-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/bootc-rocm-rhel9 Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rhelai3/disk-image-cuda-rhel9 Red Hat Trusted Artifact Signer Fix deferred rhtas/rekor-search-ui-rhel9 streams for Apache Kafka 2 Fix deferred next streams for Apache Kafka 3 Fix deferred next https://www.cve.org/CVERecord?id=CVE-2026-44576 https://nvd.nist.gov/vuln/detail/CVE-2026-44576 https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7