CVE-2026-44578: Next.js WebSocket SSRF Flaw Exposes Self-Hosted Deployments to Internal Network Access

Next.js has patched a critical server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-44578 with a CVSS score of 8.6, that allows unauthenticated attackers to trick self-hosted Next.js servers into making arbitrary internal HTTP requests on their behalf. The flaw exploits how the framework handles WebSocket upgrade requests, specifically when receiving crafted absolute-form HTTP requests containing `Upgrade: websocket` headers. Successful exploitation grants attackers a pathway to cloud metadata endpoints, internal administrative interfaces, and any service reachable from the compromised server's network position.

The vulnerability affects Next.js versions 13.4.13 and above, spanning the 14.x, 15.x, and 16.x branches through 16.2.4. The patch has been released in version 16.2.6, with the fix initially landing in 16.2.5. Organizations running self-hosted Next.js deployments behind reverse proxies, container environments, or cloud infrastructure—including Docker, Nginx, Fly.io, Render, and Amazon EC2—are urged to update immediately. The attack surface does not extend to applications hosted on Vercel's platform, as the platform handles WebSocket upgrades before requests reach the Next.js runtime.

The implications extend beyond immediate server access. By reaching the cloud metadata endpoint at 169.254.169.254, an attacker could harvest IAM credentials, access tokens, and API keys assigned to the compromised instance. This creates a potential cascade: lateral movement into managed databases, object storage, or internal microservices becomes viable once initial access is achieved. Security teams should prioritize patch deployment for internet-facing Next.js instances and audit network egress rules to restrict metadata endpoint access at the host level.