CVE-2026-44578HIGHCVSS 8.6

CVE-2026-44578

Published May 13, 2026·Updated Jul 3, 2026

Description

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.

Public Exploits & PoCs7 found

[POC] CVE-2026-44578 — nextssrf

NextSSRF — CVE-2026-44578 Scanner & Exploit ║ ║ Next.js WebSocket Upgrade Handler SSRF

6

[POC] CVE-2026-44578 — CVE-2026-44578

CVE-2026-44578: Next.js WebSocket Upgrade SSRF — pre-auth credential theft via localhost:80. Lab + exploit + audit.

1

[POC] CVE-2026-44578 — next-16.2.4-pocs

Next.js v16.2.4 Security PoC Collection (CVE-2026-44578, CVE-2026-44574, CVE-2026-23870, GHSA-267c-6grr-h53f, GHSA-mg66-mrh9-m8jx, CVE-2026-44573, GHSA-gx5p-jg67-6x7h, GHSA-h64f-5h5j-jqjh, GHSA-wfc6-r584-vfw7, CVE-2026-44581, CVE-2026-44582, GHSA-3g8h-86w9-wvmq)

1

[POC] CVE-2026-44578 — verify-ghsa-c4j6-fc7j-m34r

OOB verifier for GHSA-c4j6-fc7j-m34r / CVE-2026-44578 (Next.js WebSocket-upgrade SSRF)

[POC] CVE-2026-44578 — nextjs-cve-2026-44578

Nuclei templates for detecting CVE-2026-44578 (Next.js WebSocket Upgrade SSRF) with multi-cloud metadata validation, Next.js fingerprinting, and real-world scanning workflows. Includes references to the original NextSSRF research and exploit tooling.

[POC] CVE-2026-44578 — CVE-2026-44578

CVE-2026-44578

[POC] CVE-2026-44578 — NEXT-SSRF

SSRF — CVE-2026-44578 Scanner & Exploit ║ ║ Next.js WebSocket Upgrade Handler SSRF

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free