Back to blog
CVENext.jsSSRFtechnique

Next.js CVE-2026-44578: an SSRF via WebSocket on self-hosted instances

Published on 2026-07-096 min readCleanIssue

> In short: CVE-2026-44578 lets an unauthenticated attacker make your self-hosted Next.js server proxy requests, via crafted WebSocket upgrade requests. CVSS 8.6, affects self-hosted instances only (the built-in Node.js server). Fix: Next.js 15.5.16 and 16.2.5.

Why this matters to you

Next.js is everywhere in modern HR SaaS: it's the default framework for a fast frontend backed by an API. Most teams deploy on Vercel, but a growing number of vendors self-host — on a VPS, in a Docker container, behind their own reverse proxy — for cost, data sovereignty, or France-based hosting reasons.

This CVE only affects that second case. And that's exactly the case that's easiest to forget.

The flaw in two sentences

Next.js's built-in Node.js server handles WebSocket upgrades. On versions 13.4.13 through 15.5.15 and 16.2.4, a crafted WebSocket upgrade request can make the server open a connection to an arbitrary destination — internal or external — chosen by the attacker.

In other words: it's an {SSRF}. Your server becomes a relay that issues requests on your behalf, from inside your network.

What an attacker does with it

An SSRF from an application server is rarely the end goal — it's a pivot point. The classic targets:

  • Cloud metadata endpoints (169.254.169.254 on AWS, GCP, Azure): on a poorly hardened setup, they expose temporary access credentials to the cloud account. That's the scenario behind the Capital One breach.
  • Unexposed internal services: databases, message queues, admin interfaces, other microservices that trust traffic from the internal network.
  • Internal network mapping: an attacker probes the ports and addresses reachable from your server, preparing a broader attack.
  • For an HR vendor, the concrete risk is direct: reaching, from an exposed Next.js frontend, the internal components that handle employee records, payroll, or candidate databases.

    "We're on Vercel", so we're safe?

    Correct — Vercel deployments are not affected, because they don't use the built-in Node.js server. But before closing this tab, ask yourself three questions:

  • Do you have self-hosted staging, demo, or QA environments? They often run on standard Node.js instances, with less hardening and sometimes access to the same network as real data.
  • Has a contractor deployed an instance somewhere, outside your main pipeline?
  • Do you have internal tools (back-office, dashboards) built in Next.js and self-hosted?
  • These are exactly the surfaces that escape the inventory and stay on vulnerable versions months after the fix.

    What to do, in order

  • Inventory your self-hosted Next.js instances — production, staging, demos, internal tools, POCs that became permanent. Note the version of each.
  • Update to 15.5.16 / 16.2.5 or later. This release is part of the May 2026 Next.js security release, which also fixes several middleware bypasses and a denial-of-service flaw: handle the batch at once.
  • Harden cloud metadata access: enforce IMDSv2 on AWS, equivalent restrictions on GCP and Azure. An SSRF with no metadata access is far less dangerous.
  • Segment: your frontend has no reason to freely reach your databases and internal admin interfaces. A restrictive network policy limits the impact of any SSRF, whatever its source.
  • Look for traces: abnormal WebSocket upgrade requests in your logs, unexpected outbound connections from your application servers.
  • The lesson beyond this CVE

    An SSRF doesn't "steal" anything directly: it turns your server into a springboard. That's why it's so often underestimated internally — the patch fixes the instance, but the real issue is the question it raises: *from this server, what is reachable?*

    If your frontend can reach your cloud metadata or internal databases, every future SSRF will be critical. That's exactly the kind of exposure path we map in real conditions. Our First Review checks your Next.js application's exposed surface and the destinations actually reachable from your servers: verdict in 48h.

    Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit