Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Home/Vulnerabilities/Critical Next.js Vulnerability Exposes Cloud Credentials and API Keys
Vulnerabilities

Critical Next.js Vulnerability Exposes Cloud Credentials and API Keys

Key Takeaways A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-44578, has been discovered in Next.js applications. The flaw allows attackers to steal cloud credentials, API keys,...

Sarah simpson
Sarah simpson
May 15, 2026 3 Min Read
47 0

Key Takeaways

  • A critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-44578, has been discovered in Next.js applications.
  • The flaw allows attackers to steal cloud credentials, API keys, and access internal systems by tricking the Next.js Node.js server into acting as a proxy.
  • Only self-hosted Next.js applications using the default Node.js server are affected; Vercel-hosted applications are not vulnerable.
  • Patches are available in Next.js versions 15.5.16 and 16.2.5, and immediate upgrade is strongly recommended.

Critical Next.js Flaw Puts Cloud Credentials at Risk

A severe security vulnerability has been identified in Next.js, posing a substantial risk to self-hosted web applications. This flaw could enable threat actors to execute significant data breaches by exploiting a Server-Side Request Forgery (SSRF) vulnerability.

Table Of Content

  • Key Takeaways
  • Critical Next.js Flaw Puts Cloud Credentials at Risk
  • Understanding the Vulnerability: CVE-2026-44578
  • Affected Environments and Remediation
  • What You Should Do

Exploitation of this critical flaw allows attackers to surreptitiously exfiltrate cloud credentials, harvest sensitive API keys, and gain unauthorized access to internal administrative panels. Organizations utilizing self-hosted Next.js environments are urged to apply patches without delay to prevent adversaries from infiltrating their internal networks.

Understanding the Vulnerability: CVE-2026-44578

Designated as CVE-2026-44578, the vulnerability stems from how the integrated Next.js Node.js server processes WebSocket upgrade requests. Malicious actors can craft specific WebSocket requests that manipulate the server into functioning as an unwitting proxy.

This deception forces the server to forward these malevolent requests to arbitrary internal or external destinations. Since the server itself initiates these requests, it effectively bypasses perimeter firewalls. This privileged position can then be leveraged by attackers to query internal network services, access unprotected administration dashboards, or reach cloud metadata endpoints.

Cloud metadata endpoints are particularly attractive targets due to their common storage of ephemeral IAM credentials, API tokens, and deployment secrets, which are crucial for deeper network penetration.

Affected Environments and Remediation

This SSRF vulnerability exclusively impacts Next.js applications that are self-hosted and rely on the default Node.js server. Crucially, applications deployed on Vercel’s infrastructure are not susceptible to this exploit, as Vercel does not employ the vulnerable WebSocket routing implementation.

For those managing their own infrastructure, it is imperative to verify the Next.js version in use. The vulnerability affects two distinct release tracks within the Next.js ecosystem. The Next.js maintenance team has issued security patches that introduce stringent safety checks for WebSocket upgrade handling. The server will now only proxy upgrade requests if routing configurations explicitly designate them as safe external rewrites.

According to Tim Neutkens, who disclosed GHSA-c4j6-fc7j-m34r on GitHub, developers should upgrade to Next.js 15.5.16 or 16.2.5 immediately. In scenarios where immediate patching is not feasible, network-level protective measures are advised.

What You Should Do

  • Upgrade Next.js: Immediately update your self-hosted Next.js applications to version 15.5.16 or 16.2.5 to apply the necessary security patches.
  • Implement Network Protections: If immediate patching is not possible, configure reverse proxies or load balancers to block all WebSocket upgrade requests, especially if your application does not actively utilize them.
  • Restrict Outbound Traffic: Enhance security by restricting the origin server’s outbound network traffic, specifically blocking access to internal cloud metadata services and any unrelated internal networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCVEExploitPatchSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

OpenAI confirms data breach from TanStack npm supply chain attack

Next Post

Critical Microsoft Exchange Server RCE Vulnerability Under Active Attack CVE-2023-21529

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Microsoft Teams Blocks Uninvited Bots From Meetings
July 1, 2026
Anthropic Claude AI Reportedly Uses Hidden Code to Detect Chinese Users
July 1, 2026
US Eases Export Restrictions on Claude Fable 5 and Mythos 5 AI Models
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us