CVE-2026-44578— Next.js: Server-side request forgery in applications using WebSocket upgrades
In-the-Wild Activity Observed github_trending · high
Possible ATT&CK Techniques 1AI
T1557 · Adversary-in-the-MiddleGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44578
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Next.js: Server-side request forgery in applications using WebSocket upgrades
Source: NVD (National Vulnerability Database)
Vulnerability Description
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Next.js 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Next.js是Vercel开源的一个 React 框架。 Next.js 13.4.13至15.5.16之前版本和16.2.5之前版本存在代码问题漏洞,该漏洞源于使用内置Node.js服务器自托管时,特制WebSocket升级请求可能导致服务器端请求伪造,攻击者可代理请求到任意内部或外部目标。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44578
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Next.js 13.4.13 to before 15.5.16 and 16.2.5 contains a server-side request forgery caused by crafted WebSocket upgrade requests in the built-in Node.js server, letting attackers proxy requests to arbitrary destinations, exploit requires self-hosted deployment. | https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2026/CVE-2026-44578.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44578
请登录查看更多情报信息。
- https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34rx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44578
Same Patch Batch · vercel · 2026-05-13 · 13 CVEs total
| CVE-2026-44574 | 8.1 HIGH | Next.js: Middleware / Proxy bypass through dynamic route parameter injection |
| CVE-2026-45109 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes |
| CVE-2026-44579 | 7.5 HIGH | Next.js: Denial of Service via connection exhaustion in applications using Cache Component |
| CVE-2026-44575 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes |
| CVE-2026-44573 | 7.5 HIGH | Next.js: Middleware / Proxy bypass in Pages Router applications using i18n |
| CVE-2026-44580 | 6.1 MEDIUM | Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input |
| CVE-2026-44577 | 5.9 MEDIUM | Next.js: Denial of Service in the Image Optimization API |
| CVE-2026-44479 | 5.5 MEDIUM | Vercel: Non-interactive mode includes CLI arguments in suggested command output |
| CVE-2026-44576 | 5.4 MEDIUM | Next.js: Cache poisoning in React Server Component responses |
| CVE-2026-44581 | 4.7 MEDIUM | Next.js: Cross-site scripting in App Router applications using CSP nonces |
| CVE-2026-44572 | 3.7 LOW | Next.js: Middleware / Proxy redirects can be cache-poisoned |
| CVE-2026-44582 | 3.7 LOW | Next.js: Cache poisoning via collisions in React Server Component cache-busting |
IV. Related Vulnerabilities
Same product: next.js
- CVE-2026-45109
Next.js: Middleware / Proxy bypass in App Router application - CVE-2026-44582
Next.js: Cache poisoning via collisions in React Server Comp - CVE-2026-44581
Next.js: Cross-site scripting in App Router applications usi - CVE-2026-44580
Next.js: Cross-site scripting in beforeInteractive scripts w - CVE-2026-44579
Next.js: Denial of Service via connection exhaustion in appl
Same vendor: vercel
- CVE-2026-45773
Turborepo: Login callback CSRF/session fixation - CVE-2026-46508
Turborepo: VSCode Extension command injection - CVE-2026-45772
Turborepo: Unexpected local code execution during Yarn Berry - CVE-2026-45109
Next.js: Middleware / Proxy bypass in App Router application - CVE-2026-44582
Next.js: Cache poisoning via collisions in React Server Comp
Same weakness: CWE-918
- CVE-2026-45338
Open WebUI: SSRF via OAuth Profile Picture URL in _process_p - CVE-2026-45347
Open WebUI: Blind server side request forgery (SSRF) via the - CVE-2026-45400
Open WebUI: Server-Side Request Forgery (SSRF) bypass in `va - CVE-2026-45401
Open WebUI: SSRF Bypass via HTTP Redirect Following in Web-F - CVE-2026-45331
Open WebUI: Full SSRF Vulnerability in the RAG Web Search Fe
V. Comments for CVE-2026-44578
No comments yet