Next.js 2026 年 5 月安全更新
TL;DR · AI 摘要
Next.js 发布了修复 13 个安全漏洞的更新,涵盖拒绝服务、中间件绕过等关键问题。
核心要点
- 修复了一个与 React Server Components 相关的上游漏洞 CVE-2026-23870。
- 建议开发者尽快升级至最新版本以避免潜在攻击风险。
- 此次更新涉及 DoS、SSRF、缓存投毒和 XSS 等多种类型的安全问题。
结构提纲
按章节快速跳转。
思维导图
用一张图看清主题之间的关系。
查看大纲文本(无障碍 / 无 JS 友好)
- Next.js May 2026 Security Release
- Summary
- 13 advisories addressed
- Recommended actions
- Upgrade to patched versions
金句 / Highlights
值得收藏与分享的关键句。
我们发布了针对 Next.js 的协调安全更新,解决了 13 个公告中的问题。
其中一个公告涉及被追踪为 CVE-2026-23870 的 React Server Components 上游漏洞。
已提供修补版本。
Next.js May 2026 security release - Vercel
[](http://vercel.com/home)
- Products
- ##### AI Cloud
- AI Gateway One endpoint, all your models
- Sandbox Isolated, safe code execution
- Vercel Agent An agent that knows your stack
- AI SDK The AI Toolkit for TypeScript
- v0 Build applications with AI
- ##### Core Platform
- CI/CD Helping teams ship 6× faster
- Content Delivery Fast, scalable, and reliable
- Fluid Compute Servers, in serverless form
- Workflow Long-running workflows at scale
- Observability Trace every step
- ##### Security
- Bot Management Scalable bot protection
- BotID Invisible CAPTCHA
- Platform Security DDoS Protection, Firewall
- Web Application Firewall Granular, custom protection
- Resources
- ##### Company
- Customers Trusted by the best teams
- Blog The latest posts and changes
- Changelog See what shipped
- Press Read the latest news
- Events Join us at an event
- ##### Learn
- Docs Vercel documentation
- Academy Linear courses to level up
- Knowledge Base Find help quickly
- Community Join the conversation
- ##### Open Source
- Next.js The native Next.js platform
- Nuxt The progressive web framework
- Svelte The web’s efficient UI framework
- Turborepo Speed with Enterprise scale
- Solutions
- ##### Use Cases
- AI Apps Deploy at the speed of AI
- Composable Commerce Power storefronts that convert
- Marketing Sites Launch campaigns fast
- Multi-tenant Platforms Scale apps with one codebase
- Web Apps Ship features, not infrastructure
- ##### Tools
- Marketplace Extend and automate workflows
- Templates Jumpstart app development
- Partner Finder Get help from solution partners
- ##### Users
Ask AI
Ask AILog In
Next.js May 2026 security release
2 min read
Copy URL
Copied to clipboard!
May 7, 2026
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#summary)Summary
We have shipped a coordinated security release for Next.js addressing 13 advisories across denial of service, middleware and proxy bypass, server-side request forgery, cache poisoning, and cross-site scripting. One advisory addresses an upstream React Server Components vulnerability tracked as CVE-2026-23870.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#recommended-actions)Recommended actions
Patched versions are available for both React and Next.js, and all affected users should upgrade immediately.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#impact)Impact
The release addresses the following advisories:
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#middleware-and-proxy-bypass)Middleware and proxy bypass
Affects applications that rely on middleware.js or proxy.js for authorization.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#denial-of-service)**Denial of service**
Affects applications using Server Functions, Partial Prerendering with Cache Components, or the Image Optimization API.
- High: DoS in React Server Components (tracked upstream as CVE-2026-23870)
- Moderate: DoS via the Image Optimization API
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#server-side-request-forgery)**Server-side request forgery**
Affects applications that handle WebSocket upgrade requests.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#cache-poisoning)**Cache poisoning**
Affects applications with caching layers in front of React Server Component responses.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#cross-site-scripting)**Cross-site scripting**
Affects applications using CSP nonces in App Router, or beforeInteractive scripts that consume untrusted input.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#resolution)Resolution
These vulnerabilities are addressed by the patched releases of React and Next.js. Patching is the only complete mitigation, and all affected users should upgrade immediately.
Vercel has not deployed new WAF rules for this release; these advisories cannot be reliably blocked at the WAF layer.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#affected-versions)Affected versions
| Package | Affected | Upgrade to | | --- | --- | --- | | Next.js13.x, 14.x | all versions | 15.5.18 or 16.2.6 | | Next.js15.x | <=15.5.17 | 15.5.18 | | Next.js16.x | <=16.2.5 | 16.2.6 | | react-server-dom-*19.0.x | <=19.0.5 | 19.0.6 | | react-server-dom-*19.1.x | <=19.1.6 | 19.1.7 | | react-server-dom-*19.2.x | <=19.2.5 | 19.2.6 |
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#fixed-in)Fixed in
- React: `19.0.6`, `19.1.7`, `19.2.6` for the
react-server-dom-parcel,react-server-dom-webpackandreact-server-dom-turbopackpackages
Frameworks and bundlers using react-server-dom-* packages should install the latest versions provided by their respective maintainers.
[Link to heading](http://vercel.com/changelog/next-js-may-2026-security-release#references)References
Ready to deploy?Start building with a free account. Speak to an expert for your _Pro_ or Enterprise needs.
Start DeployingTalk to an Expert
Explore Vercel Enterprise with an interactive product tour, trial, or a personalized demo.
Get Started
Build
Scale
Secure
Resources
Learn
Frameworks
SDKs
Use Cases
Company
Community
[](http://vercel.com/home)
Loading status…Select a display theme:system light dark