VibeAudits
SecurityBlog Post

CVE-2026-44578: How Vibe-Coded Next.js Apps Got Exposed

CVE-2026-44578 turns self-hosted Next.js servers into SSRF proxies.

May 15, 2026
1 min read
CVE-2026-44578: How Vibe-Coded Next.js Apps Got Exposed

On May 11, Vercel shipped patches for a cluster of Next.js vulnerabilities. One of them, CVE-2026-44578, lets an unauthenticated attacker turn your self-hosted Next.js server into an outbound HTTP proxy. CVSS 8.6. No login required. One crafted request.

If you deployed a Next.js app to a VPS in the last two years and have not touched the dependencies since, you are probably running it.

What the bug actually does

The Next.js built-in Node.js server has a WebSocket upgrade handler. When a request arrives with Upgrade: websocket and Connection: Upgrade headers plus an absolute-form URL, the handler proxies it. The bug: the handler skipped the routing safety checks that the regular HTTP request path already enforced. So an attacker can point that proxy at anything reachable from your server. Cloud metadata endpoints. Internal admin panels. Sidecar APIs. Anything on port 80 inside your VPC.

GET requests only, no write access, no direct RCE path. But on AWS with IMDSv1, GCP, Azure, or Oracle, this is a credential-stealing primitive. AWS IMDSv2 is largely safe because the token-mint step needs a PUT. GCP rejects requests carrying the Upgrade header. Everything else is fair game.

Affected versions: Next.js 13.4.13 through 15.5.15, and 16.0.0 through 16.2.4. Patched in: 15.5.16 and 16.2.5. Not affected: Vercel-hosted apps, because they do not use the built-in server.

Why this matters for vibe-coded apps

Most apps shipped through AI coding sessions inherit Next.js as the default frontend. The codebase gets generated, deployed to a Hetzner box or a small EC2 instance, pointed at a domain, and forgotten. The owner does not subscribe to the Next.js security feed. They do not run npm audit on a schedule. They do not know what a WebSocket upgrade handler is.

This is the dependency risk we keep flagging. Your codebase is fine. The framework underneath it grew six new holes while you were shipping features.

What to do

Upgrade to 15.5.16 or 16.2.5 immediately if you are self-hosted. If you cannot upgrade:

  • Block WebSocket upgrades at your reverse proxy unless you actually use them.
  • Lock down egress from the app server so it cannot reach metadata IPs or internal subnets.
  • Enforce IMDSv2 on AWS.

Longer term, you need a way to know when your framework ships a security patch. For most vibe-coded production apps, that mechanism does not exist. We audit for exactly this: the gap between what your AI wrote and what your stack is doing in production today.

If you are self-hosting Next.js and cannot say with confidence which version you are on, that is the audit.

VibeAudits

Security Experts

Need a Security Audit?

Don't let security vulnerabilities crash your vibe-coded app. Get a professional audit and launch with confidence.