CVE-2026-44578
Published: 13 May 2026
Summary
CVE-2026-44578 is a high-severity SSRF (CWE-918) vulnerability in Vercel Next.Js. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Next.js, the React framework for full-stack web applications, contains a server-side request forgery vulnerability tracked as CVE-2026-44578. The flaw affects self-hosted deployments that use the built-in Node.js server in versions 13.4.13 through 15.5.15 and 16.2.4; Vercel-hosted instances are unaffected. An attacker can supply a crafted WebSocket upgrade request that causes the server to proxy traffic to arbitrary internal or external destinations, exposing services or cloud metadata endpoints. The issue carries a CVSS 3.1 score of 8.6 and is classified under CWE-918.
Because the attack requires no authentication and can be launched over the network, any remote adversary who can reach a vulnerable Next.js instance can leverage it to reach otherwise inaccessible resources. Exploitation does not depend on user interaction and can result in high-impact confidentiality breaches without affecting integrity or availability.
The referenced GitHub advisory GHSA-c4j6-fc7j-m34r states that the vulnerability is resolved in Next.js 15.5.16 and 16.2.5. Administrators should upgrade to one of these patched releases; no other mitigations are described in the advisory. The associated EPSS score has remained flat at 0.0722 with no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-30080
Vulnerability details
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause…
more
the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing Next.js server directly enables T1190 (Exploit Public-Facing Application) to proxy requests to internal/cloud endpoints.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces policy-based restrictions on information flows so the Next.js server cannot proxy arbitrary WebSocket upgrade requests to internal or cloud-metadata destinations.
Requires validation of all input (including WebSocket upgrade headers) to reject crafted values that trigger SSRF proxy behavior.
Boundary-protection mechanisms can inspect and filter outbound connection attempts originating from the Next.js server before they reach internal or external targets.