What is the CVSS score of CVE-2026-44578?

CVE-2026-44578 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Next.js are affected by CVE-2026-44578?

Next.js self-hosted deployments are vulnerable to unauthenticated server-side request forgery through WebSocket upgrade requests, allowing attackers to access internal services and cloud metadata…. A patch is available.

Is there a public PoC exploit available for CVE-2026-44578?

Yes, a public proof-of-concept exploit is available for CVE-2026-44578. Prioritise patching immediately. EPSS: 0.0%.

Next.js CVE-2026-44578

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-11 https://github.com/vercel/next.js

GHSA-c4j6-fc7j-m34r

SSRF Node.js

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 11, 2026 - 16:16 vuln.today

Analysis Generated

May 11, 2026 - 16:16 vuln.today

CVE Published

May 11, 2026 - 15:55 nvd

HIGH 8.6

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

21 npm packages depend on next (21 direct, 0 indirect)

Ecosystem-wide dependent count for version 13.4.13.

DescriptionNVD

Impact

Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected.

Fix

We now apply the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, so upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites.

Workarounds

If you cannot upgrade immediately, do not expose the origin server directly to untrusted networks. If WebSocket upgrades are not required, block them at your reverse proxy or load balancer, and restrict origin egress to internal networks and metadata services where possible.

AnalysisAI

Server-side request forgery in Next.js allows remote unauthenticated attackers to proxy requests to arbitrary internal or external destinations through crafted WebSocket upgrade requests in self-hosted applications using the built-in Node.js server. Attackers can access internal services and cloud metadata endpoints (AWS, GCP, Azure instance metadata) without authentication. …

RemediationAI

Within 24 hours: Identify all self-hosted Next.js deployments and confirm running versions against affected ranges (13.4.13-15.5.15, 16.0.0-16.2.4). Within 7 days: Upgrade to Next.js 15.5.16 or 16.2.5 depending on current major version; verify no Vercel-hosted instances are misconfigured as self-hosted. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44578 vulnerability details – vuln.today

Back

Next.js CVE-2026-44578

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Fix

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code