Critical Next.js SSRF Flaw Is Exposing 79,000 Self-Hosted Apps: Check Yours Now
A critical Next.js SSRF flaw is exposing cloud credentials on self-hosted apps. 79,000 instances are exploitable today. Vercel-hosted deployments are not affected. Here is what to check and how to fix it.
A security research team at Hadrian published a deep-dive yesterday confirming that approximately 79,000 self-hosted Next.js instances are currently exploitable via CVE-2026-44578, a critical server-side request forgery vulnerability in Next.js's WebSocket upgrade handler. The flaw was first disclosed on May 11, 2026 but gained significant traction after the Shodan scan data went public.
If you deploy Next.js on Railway, Coolify, Render, or any bare VPS setup, this is relevant to you. If you host on Vercel, you are not affected.
What Is CVE-2026-44578?
The vulnerability lives in how Next.js handles WebSocket upgrade requests when using the built-in Node.js server. An attacker sends a crafted HTTP request with an Upgrade: websocket header pointing at an internal destination. The Next.js server, without any authentication check, proxies that request to wherever the attacker specifies.
flowchart LR
A[Attacker] -->|Crafted WebSocket upgrade request| B[Your Next.js server]
B -->|Proxies internal GET request| C{Internal target}
C -->|AWS metadata 169.254.169.254| D[IAM role credentials]
C -->|Internal API on port 3001| E[Sensitive data]
C -->|Admin panel| F[Unauthorized access]
D -->|Used to access| G[S3, RDS, other AWS resources]
The attacker does not need to be authenticated. The attack complexity is low. A single crafted request is enough to trigger the proxy behavior.
The CVSS score is 8.6 (High), rated this way rather than Critical primarily because data confidentiality is the impact, not code execution. In practice, the ability to steal live AWS IAM role credentials from a cloud instance is functionally equivalent to full compromise of everything that instance can access.
Are You Vulnerable?
Two conditions must both be true for your app to be at risk:
Self-hosted on the built-in Node.js server. If you run next start or use Next.js with a custom server.js, you use the built-in server. This includes Railway deployments, Coolify-managed apps, Render web services, and direct VPS deployments.
Running an unpatched version. Affected range:
- Version 13.4.13 through 15.5.15
- Version 16.0.0 through 16.2.4
Check your version:
npx next --version
If the output is anything below 15.5.16 or below 16.2.5, you are running a vulnerable version.
What Can an Attacker Actually Do?
The practical impact depends on your hosting environment.
On AWS with IMDSv1 enabled (the older metadata format), an attacker can reach 169.254.169.254 and retrieve your instance's IAM role credentials. These credentials give access to every AWS service that role can touch: S3 buckets, RDS databases, SQS queues, SSM parameters, and more. This is a full account-level compromise, not just an app-level one.
AWS IMDSv2 is largely protected because it requires a PUT request to mint a session token before any metadata is readable. The SSRF only generates GET requests, so IMDSv2 stops the credential theft path. If you are on AWS, check whether your instances are enforcing IMDSv2.
GCP metadata (metadata.google.internal) rejects requests carrying the Upgrade: websocket header with a 400 error, so GCP users have limited exposure on that vector.
Beyond cloud metadata, the vulnerability exposes any service reachable from your server that assumes only trusted internal traffic reaches it: internal admin interfaces, background job dashboards, database management UIs on non-public ports, and webhook handlers. If any of these run on your private network without their own authentication layer, they can be reached.
How to Fix It
Update your Next.js package to 15.5.18 or 16.2.6. The reasoning for picking the higher version (rather than 15.5.16 which also patches the SSRF) is that a follow-up advisory published on May 7 found the middleware bypass fix (CVE-2026-44575) was incomplete for Turbopack users. 15.5.18 and 16.2.6 cover both issues.
In your project directory:
npm install next@latest
# or
yarn upgrade next
# or
pnpm update next
Then verify:
npx next --version
# Should output 15.5.18 or 16.2.6 or higher
After updating, redeploy your application. Restarting the existing process is not sufficient because the change requires a new build.
If You Switched to Self-Hosting After Reading Our Vercel Alternatives Post
A lot of indie hackers recently moved their Next.js apps to Coolify on Hetzner, Railway, or Render to escape Vercel's bandwidth costs. If you set that up in the last few weeks, your deployment almost certainly runs a Next.js version below the patch threshold.
Your setup is exactly the profile this vulnerability targets: self-hosted Node.js server, likely on a cloud instance with an attached IAM role or service account. Running the version check and update takes about three minutes. Worth doing before your morning coffee is finished.
Our Vercel Alternatives breakdown covers each platform's update mechanism if you need a refresher on how to redeploy after a dependency update.
Interim Mitigation If You Cannot Update Immediately
If you are blocked from updating right now (frozen dependencies, deployment freeze, pending staging testing), two steps reduce risk:
Move auth checks into page and API route logic. The SSRF bypasses middleware-based authorization by working at the WebSocket upgrade layer. Auth enforced in getServerSideProps or API handlers is not bypassed by this attack.
Add a reverse proxy rule blocking outbound WebSocket upgrade requests to RFC 1918 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254). An nginx proxy_set_header Upgrade "" directive on internal routing rules does this.
These are bridges, not solutions. Patch as soon as you can.
Context: How This Fits the Broader May 2026 Next.js Security Release
CVE-2026-44578 is one of 13 vulnerabilities disclosed in the May 2026 Next.js security release. The full picture includes middleware bypass flaws, a DoS via crafted HTTP requests, and XSS in App Router apps using CSP nonces. Our earlier post covers the full scope of what Vercel patched.
The SSRF stands apart from that list because it is the one with the clearest path to total cloud account compromise. The others are serious; this one is urgent.
Frequently Asked Questions
Is my Vercel-hosted Next.js app affected by CVE-2026-44578?
No. Vercel-hosted applications are not affected by this SSRF vulnerability. The flaw exists in the built-in Node.js server that self-hosted apps use, which Vercel replaces with its own infrastructure. If your Next.js app is deployed directly to Vercel, you do not need to do anything for this specific CVE. Apps hosted on Netlify are also not affected by the SSRF. Apps self-hosted on Railway, Render, Coolify, or bare VPS instances are affected if they have not been patched.
How do I check if I am running a vulnerable version of Next.js?
Run npx next --version in your project directory. If your version is between 13.4.13 and 15.5.15, or between 16.0.0 and 16.2.4, you are vulnerable. Safe versions are 15.5.18 and above, or 16.2.6 and above. You can also check your package.json for the next dependency version, though npx next --version is more reliable as it reflects what is actually installed rather than the semver range specified.
What exactly can an attacker do with this Next.js SSRF?
An attacker with network access to your Next.js server sends a crafted WebSocket upgrade request. This causes your server to proxy an internal HTTP GET request to any destination reachable from your server, including AWS Instance Metadata Service (169.254.169.254 on IMDSv1), internal admin panels on other ports, internal APIs not meant to be public, and other services on your private network. If you use AWS with IMDSv1 enabled, the attacker can retrieve your instance role credentials and use them to access S3 buckets, RDS databases, and other AWS resources.
What is the difference between patching to 15.5.16 and 15.5.18?
15.5.16 patches the SSRF vulnerability (CVE-2026-44578) but a follow-up advisory revealed the middleware bypass fix (CVE-2026-44575) was incomplete for Turbopack users. 15.5.18 covers both the SSRF and the Turbopack middleware bypass. If you use Turbopack in your build process, you must be on 15.5.18 or 16.2.6. If you are not using Turbopack, 15.5.16 covers the SSRF, but upgrading to 15.5.18 is still the safest path.
What is the interim fix if I cannot update Next.js right away?
Two interim mitigations reduce risk while you prepare the update. First, move authorization checks into your page and API route logic rather than relying exclusively on middleware path matching. The SSRF uses WebSocket upgrade requests to bypass middleware, so middleware-only auth is not reliable against this attack. Second, add a reverse proxy rule (nginx or Caddy) to block WebSocket upgrade headers targeting internal IP ranges. Neither of these fully eliminates risk the way patching does, so treat them as temporary bridges.
Get honest tool comparisons in your inbox
Join 50+ indie hackers and solo developers who get new comparisons, pricing changes, and tool picks. No spam. Unsubscribe anytime.
Related Articles
Best Stripe Alternatives for Indie Hackers in 2026 (Honest Picks)
Stripe is powerful but it can close accounts without warning, does nothing about...
Anthropic Splits Claude Subscriptions: What Changes for Indie Hackers on June 15
Anthropic announced a major change to Claude subscriptions yesterday. Agent SDK,...
Warp Just Went Open Source: What Indie Hackers Actually Need to Know
Warp open-sourced its client a week ago. The hype was big. The reality is more n...