New at Horizon3.ai

Mythos has collapsed the attack path. | Learn how to prove your defenses now. →

CVE-2026-44578

Next.js Server-Side Request Forgery Vulnerability

CVE-2026-44578 is a High-severity server-side request forgery vulnerability affecting self-hosted Next.js applications that use the built-in Node.js server. The vulnerability exists in WebSocket upgrade request handling, where crafted requests can cause the server to proxy connections to arbitrary internal or external destinations. Vercel-hosted deployments are not affected.

Technical Details

Next.js is an open-source React framework for building full-stack web applications. In affected self-hosted deployments, crafted WebSocket upgrade requests can abuse the built-in Node.js server and cause it to proxy requests to attacker-selected destinations.

This may expose internal services, administrative interfaces, or cloud metadata endpoints reachable from the affected server. The issue is tracked as CWE-918 and has a CVSS 3.1 score of 8.6, rated High.

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this server-side request forgery vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

Re-run the test: Confirm the vulnerability is no longer exploitable after remediation

Run the Rapid Response test: Launch from the NodeZero platform to determine whether affected self-hosted Next.js applications can proxy requests to unauthorized internal or external destinations

Patch immediately: Upgrade Next.js to version 15.5.16 or later for the 15.x branch, or 16.2.5 or later for the 16.x branch

Stop Guessing, Start Proving

Attack path visualization showing server-side request forgery in a self-hosted Next.js application exposing internal services and cloud metadata endpoints
Schedule a demo

Affected versions & patch

Affected:

  • Next.js versions >= 13.4.13 and < 15.5.16
  • Next.js versions >= 16.0.0 and < 16.2.5
  • Self-hosted applications using the built-in Node.js server

Not affected:

  • Vercel-hosted deployments

Patch:

  • Upgrade to Next.js 15.5.16 or later
  • Upgrade to Next.js 16.2.5 or later

Timeline

  • May 6, 2026 – GitHub advisory GHSA-c4j6-fc7j-m34r was published for CVE-2026-44578.
  • May 11, 2026 – The advisory was published to the GitHub Advisory Database.
  • May 13, 2026 – NVD published CVE-2026-44578.
  • May 14, 2026 – The GitHub advisory was last updated.

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By