Critical Next.js Vulnerability Exposes Cloud Credentials, API keys, and Admin Panels

HomeCyber Security News Critical Next.js Vulnerability Exposes Cloud Credentials, API keys, and Admin Panels By Abinaya May 15, 2026 A high-severity vulnerability in Next.js threatens self-hosted web applications with severe data breaches. Threat actors can now exploit a Server-Side Request Forgery (SSRF) flaw to silently steal cloud credentials, harvest API keys, and access sensitive internal admin panels. Organizations running self-hosted Next.js environments must patch immediately to prevent attackers from pivoting into their internal networks. Next.js Flaw Exposes Credentials The vulnerability, tracked as CVE-2026-44578, originates in how the built-in Next.js Node.js server handles WebSocket upgrade requests. Attackers can send specially crafted WebSocket requests that trick the server into acting as a proxy. This forces the server to forward malicious requests to arbitrary internal or external destinations. Because the server itself executes the request, it bypasses external firewalls. Attackers can use this trusted position to query internal network services, access unprotected admin dashboards, or reach cloud metadata endpoints. Cloud metadata endpoints are particularly valuable targets because they often store temporary IAM credentials, API tokens, and deployment secrets. This SSRF vulnerability strictly impacts self-hosted Next.js applications relying on the default Node.js server. If your application runs on Vercel, you remain completely safe from this exploit. The Vercel infrastructure does not utilize the vulnerable WebSocket routing implementation. If you manage your own infrastructure, you must verify your Next.js version. The flaw affects two distinct release tracks in the Next.js ecosystem. The Next.js maintenance team has released security patches that apply strict safety checks to WebSocket upgrade handling. The server now only proxies upgrade requests when routing configurations explicitly mark them as safe external rewrites. Tim Neutkens disclosed GHSA-c4j6-fc7j-m34r on GitHub, advising developers to upgrade to Next.js 15.5.16 or 16.2.5 immediately. Where patching isn’t possible, network-level protections are recommended. Administrators should configure reverse proxies or load balancers to block all WebSocket upgrade requests if the application does not actively use them. Additionally, security teams must restrict the origin server’s outbound traffic, completely blocking access to internal cloud metadata services and unrelated internal networks. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks Microsoft Teams Vulnerability Allows Hackers to Perform Spoofing Attacks Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager Latest News Cyber Security Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access Cyber Security News Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets Cyber Security News Chinese APT Hackers Exploit Microsoft Exchange to Breach Energy Sector Network Cyber Security News New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass Cyber Attack News node-ipc npm Package with 822K Weekly Downloads Compromised in Supply Chain Attack