CVE-2026-44578: Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

May 11, 2026 (updated May 14, 2026)

Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected.

References

github.com/advisories/GHSA-c4j6-fc7j-m34r
github.com/vercel/next.js/releases/tag/v15.5.16
github.com/vercel/next.js/releases/tag/v16.2.5
github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r
nvd.nist.gov/vuln/detail/CVE-2026-44578

Code Behaviors & Features

Detect and mitigate CVE-2026-44578 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →