CVE-2026-40299
Received Received - Intake
Open Redirect Vulnerability in next-intl Middleware Prior to

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `[email protected]`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40299
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
next-intl next-intl to 4.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the next-intl middleware for Next.js applications prior to version 4.9.1 when using the configuration option localePrefix set to 'as-needed'.

In this scenario, the middleware could construct URLs where the path handling and the WHATWG URL parser would resolve a relative redirect target to a different host. This could happen due to scheme-relative URLs (e.g., URLs starting with //) or control characters being stripped by the URL parser.

As a result, the middleware might redirect a user from a trusted application URL to an off-site location without the user's intention.

This issue was fixed in next-intl version 4.9.1.

Impact Analysis

This vulnerability can impact you by allowing an attacker to redirect users from a trusted application URL to an external, potentially malicious website.

Such off-site redirects can be exploited for phishing attacks, where users might be tricked into providing sensitive information or downloading malware.

It can also undermine user trust in your application and potentially lead to security breaches if users are redirected to harmful sites.

Mitigation Strategies

To mitigate this vulnerability, update the next-intl package to version 4.9.1 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart