Next.js SSRF via Crafted WebSocket Requests (CVE-2026-44578)

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
Next.js SSRF via Crafted WebSocket Requests (CVE-2026-44578)

A critical server-side request forgery (SSRF) vulnerability, CVE-2026-44578, has been identified in Next.js, a popular React framework. According to the National Vulnerability Database, versions 13.4.13 to before 15.5.16 and 16.2.5 are affected. This flaw impacts self-hosted Next.js applications utilizing the built-in Node.js server, allowing attackers to proxy requests to arbitrary internal or external destinations through specially crafted WebSocket upgrade requests.

This isn’t a theoretical risk; it’s a direct path to internal network reconnaissance and potential data exfiltration. An attacker can leverage this SSRF to scan internal services, access cloud metadata endpoints, or even interact with other internal APIs that are typically unexposed to the public internet. The CVSS score of 8.6 (High) reflects the significant impact, particularly the complete compromise of confidentiality (C:H) due to the ability to access sensitive internal resources. Importantly, the National Vulnerability Database confirms that Vercel-hosted deployments are not affected.

For defenders, this means any self-hosted Next.js application within the vulnerable version range is a prime target. The attacker’s calculus here is straightforward: exploit the SSRF to gain an internal foothold, then pivot to deeper network access. This is a classic initial access vector that can lead to much larger incidents. Patching is the immediate imperative, but understanding the full scope of potential internal exposure if exploited is also critical.

What This Means For You

  • If your organization uses self-hosted Next.js applications, immediately verify their versions. Any deployment between 13.4.13 and before 15.5.16 or 16.2.5 is vulnerable to server-side request forgery. Patch to versions 15.5.16 or 16.2.5 without delay. After patching, audit logs for any unusual WebSocket upgrade requests or outbound connections from your Next.js servers to internal IPs or cloud metadata endpoints.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1571 Non-Standard Port Command and Control T1071.001 Web Protocol Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44578 - Next.js WebSocket SSRF to Cloud Metadata Endpoint

Sigma YAML — free preview 
title: CVE-2026-44578 - Next.js WebSocket SSRF to Cloud Metadata Endpoint
id: scw-2026-05-13-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-44578 by sending crafted WebSocket upgrade requests to the Next.js _next/webpack-hmr endpoint. This pattern specifically targets the vulnerability allowing SSRF to internal or external destinations, including cloud metadata endpoints.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44578/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/_next/webpack-hmr'
      cs-method:
          - 'GET'
      cs-uri-query|contains:
          - 'ws://'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44578 SSRF Next.js versions from 13.4.13 to before 15.5.16
CVE-2026-44578 SSRF Next.js versions from 13.4.13 to before 16.2.5
CVE-2026-44578 SSRF Self-hosted Next.js applications using the built-in Node.js server
CVE-2026-44578 SSRF Vulnerable to server-side request forgery through crafted WebSocket upgrade requests

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-05-13

41 vulnerability disclosures (10 Critical, 31 High) and 10 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEcriticalhigh-severitycwe-328cwe-648remote-code-executioncwe-502cwe-88
/SCW Daily Digest /CRITICAL

CVE-2026-8496 — Cross-Site Scripting (XSS)

CVE-2026-8496 — A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within...

vulnerabilityCVEmedium-severitycross-site-scripting-xss
/SCW Vulnerability Desk /MEDIUM /6.1 /⚑ 1 IOC /⚙ 3 Sigma

Netty DoS Vulnerability (CVE-2026-42587) Bypasses Decompression Limits

CVE-2026-42587 — Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-400
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 4 IOCs /⚙ 4 Sigma