Next.js Patches Critical SSRF Vulnerability in WebSocket Upgrade Handler — Cloud Metadata Endpoints at Risk

Next.js has released version 16.2.6 to address CVE-2026-44578, a high-severity Server-Side Request Forgery (SSRF) flaw in its WebSocket upgrade mechanism. With a CVSS score of 8.6, the vulnerability allows an unauthenticated attacker to force a vulnerable Next.js server into making arbitrary internal HTTP requests on the attacker's behalf, simply by sending a crafted absolute-form HTTP request with an Upgrade: websocket header.

The vulnerability affects self-hosted deployments running Next.js versions 13.4.13 and above, including the full 14.x and 15.x ranges up to 15.5.16, as well as 16.0.0 through 16.2.4. The flaw specifically exploits how the framework handles WebSocket upgrade requests, enabling attackers to reach internal services that should be inaccessible from the outside — most critically, cloud provider metadata endpoints such as 169.254.169.254. Successful exploitation can expose cloud credentials, API keys, and sensitive internal secrets stored on the affected instance.

Organizations running self-hosted Next.js deployments behind Nginx, Docker, Fly.io, Render, Amazon EC2, or similar infrastructure are urged to update immediately to [email protected]. Notably, applications hosted on Vercel are unaffected — the platform intercepts WebSocket upgrades at the edge before requests reach the Next.js runtime. The fix landed in version 16.2.5 and was refined in 16.2.6, with the patch requiring only a version bump in package.json and a corresponding update to the lockfile resolution.