Cyber Resilience

CVE-2026-44578

High

Published: 13 May 2026

Published
13 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.3776 98.3th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-44578 is a high-severity SSRF (CWE-918) vulnerability in Vercel Next.Js. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Next.js, the React framework for full-stack web applications, contains a server-side request forgery vulnerability tracked as CVE-2026-44578. The flaw affects self-hosted deployments that use the built-in Node.js server in versions 13.4.13 through 15.5.15 and 16.2.4; Vercel-hosted instances are unaffected. An attacker can supply a crafted WebSocket upgrade request that causes the server to proxy traffic to arbitrary internal or external destinations, exposing services or cloud metadata endpoints. The issue carries a CVSS 3.1 score of 8.6 and is classified under CWE-918.

Because the attack requires no authentication and can be launched over the network, any remote adversary who can reach a vulnerable Next.js instance can leverage it to reach otherwise inaccessible resources. Exploitation does not depend on user interaction and can result in high-impact confidentiality breaches without affecting integrity or availability.

The referenced GitHub advisory GHSA-c4j6-fc7j-m34r states that the vulnerability is resolved in Next.js 15.5.16 and 16.2.5. Administrators should upgrade to one of these patched releases; no other mitigations are described in the advisory. The associated EPSS score has remained flat at 0.0722 with no material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause…

more

the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF vulnerability in public-facing Next.js server directly enables T1190 (Exploit Public-Facing Application) to proxy requests to internal/cloud endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-57822Same product: Vercel Next.Js
CVE-2026-44575Same product: Vercel Next.Js
CVE-2026-45109Same product: Vercel Next.Js
CVE-2025-29927Same product: Vercel Next.Js
CVE-2026-44574Same product: Vercel Next.Js
CVE-2026-44573Same product: Vercel Next.Js
CVE-2025-59472Same product: Vercel Next.Js
CVE-2025-59471Same product: Vercel Next.Js
CVE-2026-27980Same product: Vercel Next.Js
CVE-2026-27979Same product: Vercel Next.Js

Affected Assets

vercel
next.js
13.4.13 — 15.5.16 · 16.0.0 — 16.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces policy-based restrictions on information flows so the Next.js server cannot proxy arbitrary WebSocket upgrade requests to internal or cloud-metadata destinations.

prevent

Requires validation of all input (including WebSocket upgrade headers) to reject crafted values that trigger SSRF proxy behavior.

preventdetect

Boundary-protection mechanisms can inspect and filter outbound connection attempts originating from the Next.js server before they reach internal or external targets.

References