{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40299", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.035Z", "datePublished": "2026-04-17T20:49:05.642Z", "dateUpdated": "2026-04-20T15:58:51.149Z"}, "containers": {"cna": {"title": "next-intl has an open redirect vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j"}, {"name": "https://github.com/amannn/next-intl/pull/2304", "tags": ["x_refsource_MISC"], "url": "https://github.com/amannn/next-intl/pull/2304"}, {"name": "https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6", "tags": ["x_refsource_MISC"], "url": "https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6"}, {"name": "https://github.com/amannn/next-intl/releases/tag/v4.9.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/amannn/next-intl/releases/tag/v4.9.1"}], "affected": [{"vendor": "amannn", "product": "next-intl", "versions": [{"version": "< 4.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:49:05.642Z"}, "descriptions": [{"lang": "en", "value": "next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`."}], "source": {"advisory": "GHSA-8f24-v5vv-gm5j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T15:56:01.407919Z", "id": "CVE-2026-40299", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:58:51.149Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40299", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T15:56:01.407919Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T15:56:13.622Z"}}], "cna": {"title": "next-intl has an open redirect vulnerability", "source": {"advisory": "GHSA-8f24-v5vv-gm5j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "amannn", "product": "next-intl", "versions": [{"status": "affected", "version": "< 4.9.1"}]}], "references": [{"url": "https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j", "name": "https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/amannn/next-intl/pull/2304", "name": "https://github.com/amannn/next-intl/pull/2304", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6", "name": "https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/amannn/next-intl/releases/tag/v4.9.1", "name": "https://github.com/amannn/next-intl/releases/tag/v4.9.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:49:05.642Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40299", "state": "PUBLISHED", "dateUpdated": "2026-04-20T15:58:51.149Z", "dateReserved": "2026-04-10T20:22:44.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T20:49:05.642Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`."}], "id": "CVE-2026-40299", "lastModified": "2026-04-29T21:04:10.060", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:34.707", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6"}, {"source": "security-advisories@github.com", "url": "https://github.com/amannn/next-intl/pull/2304"}, {"source": "security-advisories@github.com", "url": "https://github.com/amannn/next-intl/releases/tag/v4.9.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "next-intl: next-intl: Open Redirect vulnerability allows off-site redirection via crafted URLs", "id": "2459333", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459333"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-601", "details": ["A flaw was found in next-intl, a library for internationalization in Next.js applications. A remote attacker could exploit this vulnerability in applications using the `next-intl` middleware with `localePrefix: 'as-needed'`. By crafting specific URLs, the attacker could cause the middleware to redirect a user's browser to an arbitrary external website, even if the user initially started from a trusted application URL. This could lead to users being unknowingly directed to malicious sites."], "name": "CVE-2026-40299", "package_state": [{"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Not affected", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Out of support scope", "package_name": "next-intl", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Not affected", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 3"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "next-intl", "product_name": "streams for Apache Kafka 3"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "next-intl-swc-plugin-extractor", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-04-17T20:49:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40299\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40299\nhttps://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6\nhttps://github.com/amannn/next-intl/pull/2304\nhttps://github.com/amannn/next-intl/releases/tag/v4.9.1\nhttps://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.9.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "next-intl", "source": "cna", "vendor": "amannn"}, "product": "next-intl", "vendor": "amannn"}], "analysis": {"en": {"generated_at": "2026-04-18T20:03:24.618529+00:00", "value": {"mitigation_remediation": ["Upgrade next\u2011intl to version 4.9.1 or later", "Reconfigure the application to avoid using localePrefix 'as-needed' unless absolutely necessary", "Implement strict validation of redirect targets to allow only trusted hosts"], "summary": {"action": "Patch", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "The affected product is amannn's next\u2011intl, a package used for internationalization in Next.js applications. Systems that employ a version prior to 4.9.1 of next\u2011intl and have the localePrefix configuration set to \"as-needed\" are vulnerable. Versions 4.9.1 and newer contain the fix.", "description_and_impact": "The vulnerability in the next\u2011intl middleware allows an attacker to influence the redirect target processed by the browser. By manipulating a relative redirect in an application using the middleware with localePrefix set to \"as-needed\", the WHATWG URL parser resolves the target to another host. This leads to the browser being sent to an off\u2011site domain while the user believes the navigation originates from a trusted application URL. The weakness is a classic open\u2011redirect flaw (CWE\u2011601). The impact is the potential for phishing, credential theft, or malicious site visits without user awareness.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.9, indicating a moderate severity. The EPSS score is less than 1%, indicating low but non\u2011zero likelihood of exploitation, but the lack of a KEV listing suggests no widespread exploitation has been reported yet. However, open redirects are widely leveraged in phishing campaigns, so the risk remains non\u2011negligible. The attack vector is largely user\u2011initiated through navigation to a crafted link generated by the application."}}}}, "created": "2026-04-18T20:15:09.538073+00:00", "updated": "2026-04-20T14:59:37.209551+00:00", "vendors": ["amannn", "amannn$PRODUCT$next-intl"]}