CVE-2026-44578

Published May 13, 2026

Last updated 24 days ago

CVSS high 8.6
Next.js
Port (80)

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-44578 is a Server-Side Request Forgery (SSRF) vulnerability that impacts self-hosted Next.js applications utilizing the built-in Node.js server. This flaw is triggered by specially crafted WebSocket upgrade requests. An attacker can exploit this vulnerability to manipulate the affected server into proxying requests to arbitrary internal or external destinations. This could potentially expose internal network resources or cloud metadata endpoints. Vercel-hosted deployments are not affected by this specific vulnerability, and the resolution involves implementing the same safety checks for WebSocket upgrade handling that are already present for standard HTTP requests.

Description
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.6
Impact score
4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-918

Social media

Hype score
Not currently trending

  1. CVE-2026-44578: Next.js SSRF Vulnerability - What It Means for Your Business and How to Respond https://t.co/ZMACQegyEK

    @integ_sec

    31 May 2026

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. @vercel just patched CVE-2026-44578 — it turns a self-hosted Next.js server into an unauthenticated outbound proxy. The uncomfortable part: most exposed instances are vibe-coded apps nobody owns. The CVE surge isn't a tooling problem. It's an ownership problem.

    @musiol_martin

    25 May 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 Critical Nextjs WebSocket SSRF Vulnerability (#CVE-2026-44578) Exposes Cloud Credentials, API Keys & Admin Panels + Video https://t.co/sQXK41nQlo Educational Purposes!

    @UndercodeUpdate

    24 May 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2026-9082 2 - CVE-2026-9256 3 - CVE-2026-44578 4 - CVE-2026-42897 5 - CVE-2024-23265 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    24 May 2026

    133 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2026-44578. 0day Intel: Critical SSRF vulnerability CVE-2026-44578 impacts self-hosted Next.js applicati

    @lyrie_ai

    19 May 2026

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Try our free labs: CVE-2026-44578: Next.js WebSocket Upgrade SSRF via Absolute-Form Request URI CVE-2026-33937: Handlebars.js Template Engine RCE via AST type confusion in compile() CVE-2026-34197: Apache ActiveMQ Jolokia RCE—solved via addNetworkConnector + vm:// transport

    @cveplayground

    19 May 2026

    106 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. multica 0.3.2 patches CVE-2026-44578 Patches Next.js dependency to address CVE-2026-44578. Upgrade carefully. → https://t.co/zLJolph5UD

    @ReleasePort

    18 May 2026

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 CVE-2026-44578 Exploit Framework (NextPulse) Security research framework built by integrating public PoCs into a structured toolkit for vulnerability testing. #CVE #cybersecurity #infosec #bugbounty #exploit #ethicalhacking #0day #informationsecurity #bugbounty #bughunting

    @0xDeathShotXD

    18 May 2026

    325 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  9. Next.js(自己ホスト)にSSRFが発覚。CVE-2026-44578はWebSocket経由で内部サービスやクラウドメタデータへの不正アクセスが可能(CVSS High、認証不要)。同日、認証バイパス系CVEが6件追加。v15.5.18/v16.2.6へ更新を。

    @tsumikasanedev

    17 May 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Two CVEs this week, same missing spec. CVE-2026-44578: Next.js SSRF, tens of thousands of apps exposed. CVE-2026-44211: Cline AI agent RCE, no Origin check on local WebSocket. Spec the boundary or someone will. SPS Hackathon, May 22-24 https://t.co/ySwxkM8u84 https://t.co/cVkn

    @apartresearch

    17 May 2026

    142 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Next.js SSRF Flaw CVE-2026-44578 Exposes 79K Servers https://t.co/pvrC7525LW #Cybertrending #Cybernewsdaily #Cybersecurity

    @TheCyberDef

    17 May 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Next.js SSRF Flaw CVE-2026-44578 Exposes 79K Servers https://t.co/Rx4wEyClLr #Cybertrending #Cybernewsdaily #Cybersecurity

    @CyberInsights1

    17 May 2026

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Next.js SSRF Flaw CVE-2026-44578 Exposes 79K Servers https://t.co/Rx4wEyClLr #Cybertrending #Cybernewsdaily #Cybersecurity

    @CyberInsights1

    16 May 2026

    3 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2026-44578: Next.js WebSocket Upgrade SSRF — pre-auth credential theft via localhost:80. Lab + exploit + audit. https://t.co/Z15Lkl1aj7

    @Dinosn

    16 May 2026

    3957 Impressions

    18 Retweets

    62 Likes

    40 Bookmarks

    0 Replies

    1 Quote

  15. Top 5 Trending CVEs: 1 - CVE-2026-44581 2 - CVE-2026-45185 3 - CVE-2026-44578 4 - CVE-2026-20182 5 - CVE-2026-42945 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    16 May 2026

    144 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 NEXT.JS CRÍTICO: CVE-2026-44578 (SSRF) 🔓 Falla en WebSocket → robo de credenciales cloud, API keys y acceso a paneles internos ⚠️ Afecta self-hosted. Actualiza para evitar explotación #Nextjs #SSRF #CVE #Ciberseguridad https://t.co/yB6e6Aqoig

    @esecintelcl

    15 May 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Why CVE-2026-44578 is not like CVE-2025-29927: 44578: the proxy feature runs — just to a forbidden target → #1 29927: middleware protection is skipped → #2 Same Next.js ecosystem. Buzzwords group them. TLCTC separates causes. https://t.co/XBSqMhGK1w #TLCTC #Cybersec

    @fr33thought

    15 May 2026

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Top 5 Trending CVEs: 1 - CVE-2026-44578 2 - CVE-2016-5195 3 - CVE-2026-0073 4 - CVE-2026-20841 5 - CVE-2025-14180 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    15 May 2026

    320 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Tiap hari makin banyak aja vulnerability yang ketauan Hari ini: 1. Microsoft Exchange Server CVE-2026-42897 -> spoofing javascript buat ngebuka email lewat Outlook Web Access 2. Next.js – WebSocket Upgrade SSRF (CVSS 8.6) CVE-2026-44578 Kemaren 3. NGINX critical remote co

    @kaabimaa

    15 May 2026

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 直近のNext.jsのリリースで対応された脆弱性は記事を見るにこのあたりのことかな👀 CVE-2026-44574 CVE-2026-44575 CVE-2026-23870 CVE-2026-44578 CVE-2026-44579 Multiple Critical Vulnerabilities Patched in Next.js and React Server Components https://

    @oTheRwoRldy

    14 May 2026

    301 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. ⚠️ Vulnerabilidades en productos Next.js ❗ CVE-2026-44578 ❗ CVE-2026-44574 ❗ CVE-2026-44573 ➡️ Más info: https://t.co/0U8Att9UKf https://t.co/xSWb6rTBgI

    @CERTpy

    12 May 2026

    86 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 High - Next.js Multiple Vulnerabilities (CVE-2026-44573, CVE-2026-44574, CVE-2026-44575, CVE-2026-44578, CVE-2026-44579, CVE-2026-45109) Multiple issues were identified in Next.js affecting App Router, Pages Router, Server Components, WebSockets, and caching mechanisms. The

    @UpwindMDR

    11 May 2026

    91 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Next.js v16.2.4 Security PoC Collection CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572 https://t.co/255KwkLd0c via: Pr0xy

    @Psycho10k_

    11 May 2026

    1975 Impressions

    8 Retweets

    43 Likes

    28 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.CVE-2026-45109
  2. Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44582
  3. Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44579
  4. Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44581
  5. Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44580

References

Sources include official advisories and independent security research.