Server-Side Request Forgery Vulnerability in Next.js Framework by Vercel
CVE-2026-44578

8.6HIGH

Key Information:

Vendor

Vercel
Status
Next.js
Vendor
CVE Published:
13 May 2026

Badges

πŸ₯‡ Trended No. 1πŸ“ˆ TrendedπŸ“ˆ Score: 113,000πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2026-44578?

CVE-2026-44578 is a critical vulnerability identified in the Next.js framework, which is developed by Vercel and widely used for building full-stack web applications. This vulnerability manifests as a server-side request forgery (SSRF) issue, enabling attackers to send crafted WebSocket upgrade requests. The flaw primarily affects self-hosted applications utilizing the built-in Node.js server between versions 13.4.13 and 15.5.16, as well as version 16.2.5. If exploited, the vulnerability can allow unauthorized access to internal services or cloud metadata endpoints by proxying requests to arbitrary external or internal destinations. This poses a serious risk for organizations relying on Next.js for application development, as it can lead to unauthorized data disclosure and potential exploitation of internal resources.

Potential impact of CVE-2026-44578

  1. Unauthorized Access to Internal Systems: Exploiting this vulnerability can enable attackers to access sensitive internal services that are otherwise protected, leading to significant data exposure and possible data breaches.

  2. Data Leakage of Cloud Metadata: The ability to access cloud metadata endpoints can result in the exposure of critical configuration data, potentially allowing attackers to gain access to other cloud resources, keys, and credentials.

  3. Increased Risk of Compromise: The proxying of requests to external malicious destinations may allow attackers to execute further malicious activities within the network, escalating the overall risk of a compromise and potential cascading impacts on interconnected services.

Affected Version(s)

next.js >= 16.0.0, < 16.2.5 < 16.0.0, 16.2.5

next.js >= 13.4.13, < 15.5.16 < 13.4.13, 15.5.16

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

nextssrf
Created by ynsmroztas

CVE-2026-44578
Created by dinosn

NEXT-SSRF
Created by BS2010-AirborneTroops

News Articles

favicon imageCybersecuritynews

Multiple Critical Vulnerabilities Patched in Next.js and React Server Components

Vercel has released an extensive set of security advisories for Next.js, addressing more than a dozen vulnerabilities, including denial-of-service, middleware bypass, server-side request forgery, and cross-site scripting.

4 weeks ago

References

https://github.com/vercel/next.js/security/advisories/GHS...
x_refsource_CONFIRM

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ₯‡

    Vulnerability reached the number 1 worldwide trending spot

  • πŸ“ˆ

    Vulnerability started trending

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • πŸ“°

    First article discovered by Cybersecuritynews

  • Vulnerability Reserved

.