Michael Araque

CVE-2026-44578  ⚠️ Next.js – WebSocket Upgrade SSRF (CVSS 8.6)  A server-side request forgery vulnerability in Next.js allows unauthenticated attackers to force self-hosted instances to make internal HTTP requests via the WebSocket upgrade handler.  By sending a crafted absolute-form HTTP request with Upgrade: websocket headers, attackers can access internal services, cloud metadata endpoints, admin panels, and internal APIs reachable from the Next.js server on port 80. Successful exploitation may expose cloud credentials, API keys, secrets, and configuration data.  Affected: Next.js 13.4.13+, 14.x, 15.x <15.5.16, 16.0.0–16.2.4  Mitigation: Upgrade immediately to 15.5.16 or 16.2.5.   Modat Magnify Query:  technology="Next.js"  The platform:  https://t.co/qJfEh7giE9  #threatintel #vulnerability #CVE202644578 #Nextjs #SSRF #WebSocket #CloudSecurity #infosec #Critical #ModatMagnify