Next.js 16.2.6 patches multiple high-severity vulnerabilities

A security-focused patch addressing 5 high-severity CVEs including middleware bypass exploits, denial of service vectors, and cache poisoning risks. Upgrade recommended for all production apps. Next.js 16.2.6 is a security-only patch release — no new features, just fixes that production teams should not skip. The most critical issues addressed are two separate middleware and proxy bypass vulnerabilities in App Router applications (GHSA-267c-6grr-q5fj and a follow-up incomplete fix), a server-side request forgery vector triggered via WebSocket upgrades, and a denial of service via connection exhaustion in apps using Cache Components. On the XSS front, App Router apps using CSP nonces and beforeInteractive scripts with untrusted input are both patched. Two cache poisoning issues in React Server Component responses round out the high-impact fixes. The release also includes a handful of bug fixes: preserved HTTP access fallbacks during prerender recovery, a fix for double-encoded URL pathname parts, and a corrected response path for route-level RSC requests in deployment adapters.