Impact Applications using the Pages Router with "i18n" configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less "/_next/data/<buildId>/<page>.json" requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. Fix The matcher logic was updated to perform the same match as it would on a non-i18n data route. Workarounds If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.