This WAF bypass involves a middleware bypass vulnerability identified as CVE-2026-44574 affecting Next.js applications. Middleware in Next.js is commonly used to check user authentication or if a user is logged in. The flaw allows attackers to perform dynamic route injection, effectively bypassing the middleware check and thus skipping the authentication process entirely. Because this bypass targets the fundamental routing and middleware system of Next.js, no Web Application Firewall (WAF) can safely block the exploit without breaking the functionality of the application. This means traditional WAFs are ineffective against this type of bypass, as blocking the attack would interfere with legitimate application routes. Developers using Next.js should prioritize patching this vulnerability directly in their applications rather than relying on WAF protections.
For more details, check out the original tweet here: https://twitter.com/cyberkendra/status/2052496271685177520