Next.js CVE-2026-44578: an SSRF via WebSocket on self-hosted instances
> In short: CVE-2026-44578 lets an unauthenticated attacker make your self-hosted Next.js server proxy requests, via crafted WebSocket upgrade requests. CVSS 8.6, affects self-hosted instances only (the built-in Node.js server). Fix: Next.js 15.5.16 and 16.2.5.
Why this matters to you
Next.js is everywhere in modern HR SaaS: it's the default framework for a fast frontend backed by an API. Most teams deploy on Vercel, but a growing number of vendors self-host — on a VPS, in a Docker container, behind their own reverse proxy — for cost, data sovereignty, or France-based hosting reasons.
This CVE only affects that second case. And that's exactly the case that's easiest to forget.
The flaw in two sentences
Next.js's built-in Node.js server handles WebSocket upgrades. On versions 13.4.13 through 15.5.15 and 16.2.4, a crafted WebSocket upgrade request can make the server open a connection to an arbitrary destination — internal or external — chosen by the attacker.
In other words: it's an {SSRF}. Your server becomes a relay that issues requests on your behalf, from inside your network.
What an attacker does with it
An SSRF from an application server is rarely the end goal — it's a pivot point. The classic targets:
169.254.169.254 on AWS, GCP, Azure): on a poorly hardened setup, they expose temporary access credentials to the cloud account. That's the scenario behind the Capital One breach.For an HR vendor, the concrete risk is direct: reaching, from an exposed Next.js frontend, the internal components that handle employee records, payroll, or candidate databases.
"We're on Vercel", so we're safe?
Correct — Vercel deployments are not affected, because they don't use the built-in Node.js server. But before closing this tab, ask yourself three questions:
These are exactly the surfaces that escape the inventory and stay on vulnerable versions months after the fix.
What to do, in order
The lesson beyond this CVE
An SSRF doesn't "steal" anything directly: it turns your server into a springboard. That's why it's so often underestimated internally — the patch fixes the instance, but the real issue is the question it raises: *from this server, what is reachable?*
If your frontend can reach your cloud metadata or internal databases, every future SSRF will be critical. That's exactly the kind of exposure path we map in real conditions. Our First Review checks your Next.js application's exposed surface and the destinations actually reachable from your servers: verdict in 48h.
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
WordPress CVE-2026-8206: unauthenticated admin takeover via the Kirki plugin
The Kirki WordPress plugin (6.0.0 to 6.0.6) lets an unauthenticated attacker take over an administrator account via a broken password reset. CVSS 9.8, active exploitation, ~150,000 sites exposed. Fix: 6.0.7.
JavaScript and Next.js: what CVE-2025-29927 changed in the security discussion
CVE-2025-29927 affected a key Next.js component and reminded teams that app-edge protection logic can be fragile. Here is what this flaw really changed.
Server-Side Request Forgery (SSRF): the flaw that opens your cloud
How SSRF lets attackers reach your internal cloud services, with real-world scenarios for AWS, GCP, and Azure.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.