CVE-2026-44578
Next.js: Server-side request forgery in applications using WebSocket upgrades
Description
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
INFO
Published Date :
May 13, 2026, 6:16 p.m.
Last Modified :
May 14, 2026, 6:34 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | HIGH | MITRE-CVE |
Solution
- Update Next.js to version 15.5.16 or 16.2.5.
- Apply vendor patches promptly.
- Review WebSocket request handling.
- Monitor network traffic for suspicious requests.
Public PoC/Exploit Available at Github
CVE-2026-44578 has a 11 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-44578.
| URL | Resource |
|---|---|
| https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r | Mitigation Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-44578 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-44578
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
lab + PoCs for 5 CVEs (Next.js + Drupal)
Dockerfile TypeScript JavaScript Shell Python
Curadoria viva de projetos e insights sobre AI agents, multi-agent systems, e infra de produção. Atualizado automaticamente pelo Growth Agent.
None
Dockerfile Python Mako Shell TypeScript JavaScript CSS
Next.js SSRF research framework for analyzing WebSocket upgrade handling and cloud metadata exposure in modern deployments.
Python
CVE-2026-44578
Python
CVE-2026-44578: Next.js WebSocket Upgrade SSRF — pre-auth credential theft via localhost:80. Lab + exploit + audit.
Shell Python Dockerfile TypeScript JavaScript
Nuclei templates for detecting CVE-2026-44578 (Next.js WebSocket Upgrade SSRF) with multi-cloud metadata validation, Next.js fingerprinting, and real-world scanning workflows. Includes references to the original NextSSRF research and exploit tooling.
None
Python
NextSSRF — CVE-2026-44578 Scanner & Exploit ║ ║ Next.js WebSocket Upgrade Handler SSRF
Python
In-band verifier framework for High-severity Next.js CVEs
Python
None
JavaScript Python TypeScript Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-44578 vulnerability anywhere in the article.
-
CybersecurityNews
Critical Next.js Vulnerability Exposes Cloud Credentials, API keys, and Admin Panels
A high-severity vulnerability in Next.js threatens self-hosted web applications with severe data breaches. Threat actors can now exploit a Server-Side Request Forgery (SSRF) flaw to silently steal clo ... Read more
The following table lists the changes that have been made to the
CVE-2026-44578 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
May. 14, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 16.0.0 up to (excluding) 16.2.5 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 13.4.13 up to (excluding) 15.5.16 Added Reference Type GitHub, Inc.: https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r Types: Mitigation, Vendor Advisory -
New CVE Received by [email protected]
May. 13, 2026
Action Type Old Value New Value Added Description Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Added CWE CWE-918 Added Reference https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r