Critical Next.js Vulnerability Exposes Cloud Credentials, API keys, and Admin Panels

A high-severity vulnerability in Next.js threatens self-hosted web applications with severe data breaches.

Threat actors can now exploit a Server-Side Request Forgery (SSRF) flaw to silently steal cloud credentials, harvest API keys, and access sensitive internal admin panels.

Organizations running self-hosted Next.js environments must patch immediately to prevent attackers from pivoting into their internal networks.

Next.js Flaw Exposes Credentials

The vulnerability, tracked as CVE-2026-44578, originates in how the built-in Next.js Node.js server handles WebSocket upgrade requests.

Attackers can send specially crafted WebSocket requests that trick the server into acting as a proxy. This forces the server to forward malicious requests to arbitrary internal or external destinations.

Because the server itself executes the request, it bypasses external firewalls. Attackers can use this trusted position to query internal network services, access unprotected admin dashboards, or reach cloud metadata endpoints.

Cloud metadata endpoints are particularly valuable targets because they often store temporary IAM credentials, API tokens, and deployment secrets.

This SSRF vulnerability strictly impacts self-hosted Next.js applications relying on the default Node.js server.

If your application runs on Vercel, you remain completely safe from this exploit. The Vercel infrastructure does not utilize the vulnerable WebSocket routing implementation.

If you manage your own infrastructure, you must verify your Next.js version. The flaw affects two distinct release tracks in the Next.js ecosystem.

The Next.js maintenance team has released security patches that apply strict safety checks to WebSocket upgrade handling.

The server now only proxies upgrade requests when routing configurations explicitly mark them as safe external rewrites.

Tim Neutkens disclosed GHSA-c4j6-fc7j-m34r on GitHub, advising developers to upgrade to Next.js 15.5.16 or 16.2.5 immediately. Where patching isn’t possible, network-level protections are recommended.

Administrators should configure reverse proxies or load balancers to block all WebSocket upgrade requests if the application does not actively use them.

Additionally, security teams must restrict the origin server’s outbound traffic, completely blocking access to internal cloud metadata services and unrelated internal networks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Critical Next.js Vulnerability Exposes Cloud Credentials, API keys, and Admin Panels appeared first on Cyber Security News.