Originally published at devtoolpicks.com
A security research team at Hadrian published a deep-dive yesterday confirming that approximately 79,000 self-hosted Next.js instances are currently exploitable via CVE-2026-44578, a critical server-side request forgery vulnerability in Next.js's WebSocket upgrade handler. The flaw was first disclosed on May 11, 2026 but gained significant traction after the Shodan scan data went public.
If you deploy Next.js on Railway, Coolify, Render, or any bare VPS setup, this is relevant to you. If you host on Vercel, you are not affected.
What Is CVE-2026-44578?
The vulnerability lives in how Next.js handles WebSocket upgrade requests when using the built-in Node.js server. An attacker sends a crafted HTTP request with an Upgrade: websocket header pointing at an internal destination. The Next.js server, without any authentication check, proxies that request to wherever the attacker specifies.
The attacker does not need to be authenticated. The attack complexity is low. A single crafted request is enough to trigger the proxy behavior.
The CVSS score is 8.6 (High), rated this way rather than Critical primarily because data confidentiality is the impact, not code execution. In practice, the ability to steal live AWS IAM role credentials from a cloud instance is functionally equivalent to full compromise of everything that instance can access.
Are You Vulnerable?
Two conditions must both be true for your app to be at risk:
Self-hosted on the built-in Node.js server. If you run next start or use Next.js with a custom server.js, you use the built-in server. This includes Railway deployments, Coolify-managed apps, Render web services, and direct VPS deployments.
Running an unpatched version. Affected range:
- Version 13.4.13 through 15.5.15
- Version 16.0.0 through 16.2.4
Check your version:
npx next --version
If the output is anything below 15.5.16 or below 16.2.5, you are running a vulnerable version.
What Can an Attacker Actually Do?
The practical impact depends on your hosting environment.
On AWS with IMDSv1 enabled (the older metadata format), an attacker can reach 169.254.169.254 and retrieve your instance's IAM role credentials. These credentials give access to every AWS service that role can touch: S3 buckets, RDS databases, SQS queues, SSM parameters, and more. This is a full account-level compromise, not just an app-level one.
AWS IMDSv2 is largely protected because it requires a PUT request to mint a session token before any metadata is readable. The SSRF only generates GET requests, so IMDSv2 stops the credential theft path. If you are on AWS, check whether your instances are enforcing IMDSv2.
GCP metadata (metadata.google.internal) rejects requests carrying the Upgrade: websocket header with a 400 error, so GCP users have limited exposure on that vector.
Beyond cloud metadata, the vulnerability exposes any service reachable from your server that assumes only trusted internal traffic reaches it: internal admin interfaces, background job dashboards, database management UIs on non-public ports, and webhook handlers. If any of these run on your private network without their own authentication layer, they can be reached.
How to Fix It
Update your Next.js package to 15.5.18 or 16.2.6. The reasoning for picking the higher version (rather than 15.5.16 which also patches the SSRF) is that a follow-up advisory published on May 7 found the middleware bypass fix (CVE-2026-44575) was incomplete for Turbopack users. 15.5.18 and 16.2.6 cover both issues.
In your project directory:
npm install next@latest
# or
yarn upgrade next
# or
pnpm update next
Then verify:
npx next --version
# Should output 15.5.18 or 16.2.6 or higher
After updating, redeploy your application. Restarting the existing process is not sufficient because the change requires a new build.
If You Switched to Self-Hosting After Reading Our Vercel Alternatives Post
A lot of indie hackers recently moved their Next.js apps to Coolify on Hetzner, Railway, or Render to escape Vercel's bandwidth costs. If you set that up in the last few weeks, your deployment almost certainly runs a Next.js version below the patch threshold.
Your setup is exactly the profile this vulnerability targets: self-hosted Node.js server, likely on a cloud instance with an attached IAM role or service account. Running the version check and update takes about three minutes. Worth doing before your morning coffee is finished.
Our Vercel Alternatives breakdown covers each platform's update mechanism if you need a refresher on how to redeploy after a dependency update.
Interim Mitigation If You Cannot Update Immediately
If you are blocked from updating right now (frozen dependencies, deployment freeze, pending staging testing), two steps reduce risk:
Move auth checks into page and API route logic. The SSRF bypasses middleware-based authorization by working at the WebSocket upgrade layer. Auth enforced in getServerSideProps or API handlers is not bypassed by this attack.
Add a reverse proxy rule blocking outbound WebSocket upgrade requests to RFC 1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254). An nginx proxy_set_header Upgrade "" directive on internal routing rules does this.
These are bridges, not solutions. Patch as soon as you can.
Context: How This Fits the Broader May 2026 Next.js Security Release
CVE-2026-44578 is one of 13 vulnerabilities disclosed in the May 2026 Next.js security release. The full picture includes middleware bypass flaws, a DoS via crafted HTTP requests, and XSS in App Router apps using CSP nonces. Our earlier post covers the full scope of what Vercel patched.
The SSRF stands apart from that list because it is the one with the clearest path to total cloud account compromise. The others are serious; this one is urgent.
Top comments (0)