Next.js May 2026 Security Patch: How to Fix All 13 Vulnerabilities

Your Next.js App Is Probably Still Vulnerable - Here's What Happened

Picture this: it's a Tuesday morning, your Slack is quiet, and then a teammate drops a link "Vercel just disclosed 13 security vulnerabilities in Next.js." That happened on May 8, 2026, and if you haven't upgraded since then, every version from Next.js 13.x through 16.x is affected. We're talking SSRF, denial of service, middleware bypass, cache poisoning, and XSS not theoretical issues, real attack vectors with working exploit patterns.

I went through all 13 advisories in the Next.js May 2026 security patch, reproduced a few of them locally, and put together this guide so you know exactly what's dangerous, what's low priority, and how to patch your app without breaking your deployment.

• Which of the 13 Next.js vulnerabilities actually put your production app at risk

• How CVE-2026-44578 (CVSS 8.6) can expose your cloud infrastructure via WebSocket requests

• The middleware bypass bugs that break auth entirely and how to detect them

• A step-by-step upgrade path that won't blow up your deployment pipeline

• A post-upgrade checklist so nothing slips through after patching

What Vercel Actually Disclosed - The 13 Advisories at a Glance

On May 8, 2026, Vercel shipped a coordinated security release for Next.js addressing 13 separate advisories. This wasn't the usual quarterly patch it was a coordinated disclosure involving the React team upstream (one CVE originates there), the Next.js core team, and several external security researchers. Every affected version from 13.x to 16.x got patched releases simultaneously.

The vulnerabilities fall into four categories, ordered by actual risk in production:

The full advisory list is published in the official Vercel security release. What follows is my breakdown of what actually matters for your app.

CVE-2026-44578 The SSRF Vulnerability You Need to Fix First

This is the one that should concern you most if you self-host Next.js on a Node.js server. CVE-2026-44578 scored 8.6 on CVSS rated High and it's an unauthenticated server-side request forgery vulnerability that works by sending a crafted WebSocket upgrade request.

Here's what makes it dangerous in practice: a remote attacker no login required, no session needed can send a specially formatted Upgrade: websocket HTTP request that tricks your Next.js server into proxying requests to arbitrary internal destinations. If you're deployed on AWS, GCP, or Azure, that includes the Instance Metadata Service (IMDS) a local HTTP endpoint that hands out IAM roles, temporary credentials, and infrastructure configuration to anyone who can reach it from inside the VM.

In plain terms: exploit this and an attacker can potentially extract your cloud credentials without ever logging into your app. That's why the CVSS score is 8.6 and not 6.something.

Am I affected?

You're affected if all three of these are true:

• You're running Next.js 13.x, 14.x, 15.x, or 16.x (pre-patch)

• You use the built-in Next.js Node.js server not a serverless/edge runtime

• Your app handles WebSocket upgrade requests (or sits behind a reverse proxy that forwards them)

Apps deployed on Vercel's platform were patched at the infrastructure level automatically Vercel pushed mitigations before the public disclosure. Self-hosted apps on EC2, DigitalOcean, Railway, Render, or any VPS are the ones that need immediate action.

Understanding this SSRF vector is also why proper authentication at the edge matters something we cover in detail in our guide on Next.js Edge Runtime JWT authentication.

The Middleware and Proxy Bypass Bugs - Auth Is Broken Without This Patch

Four of the 13 advisories relate to middleware and proxy bypass and this category will affect more apps than the SSRF bug, because auth middleware is one of the most common patterns in Next.js.

The specific bypass paths:

• Segment-prefetch URL bypass: A crafted request to an App Router segment-prefetch URL can bypass middleware authorization entirely. If your proxy.ts (or middleware.ts in older versions) protects a route, this bypass lets unauthenticated users access it by hitting the prefetch endpoint directly.

• Dynamic route parameter injection: Carefully crafted route parameters can slip past middleware pattern matching. An attacker can inject values that match your public route patterns but actually resolve to protected endpoints.

• Pages Router i18n default-locale bypass: If you use the Pages Router with i18n enabled, requests targeting the default locale can bypass proxy authorization. This one is narrow but nasty if you're running a multilingual app with protected content.

• Segment-prefetch incomplete fix: A separate advisory addresses an incomplete fix from a prior patch the original mitigation had an edge case. The May 2026 release closes it properly.

If you use middleware to protect any route dashboard, admin panel, API endpoints, paywalled content these four advisories mean your protection can be circumvented right now. This is probably the highest real-world risk category for most apps.

After patching, double-check your middleware patterns against our guide on securing Server Actions in Next.js Server Actions have their own auth considerations that middleware alone doesn't cover.

Denial of Service - React Server Components and Cache Components

Two High-severity DoS vulnerabilities round out the critical tier. Neither requires authentication.

CVE-2026-23870 (upstream React): A specially crafted HTTP request sent to any App Router Server Function endpoint can trigger excessive CPU usage during RSC deserialization. This doesn't crash your server it saturates it. Under repeated requests, your app becomes unresponsive. The fix is tracked upstream in React itself, and both React and Next.js shipped patched versions simultaneously.

Cache Component connection exhaustion: Apps using Cache Components the newer caching primitive in Next.js 16 are vulnerable to a connection exhaustion attack. Rapid requests that hit cache boundaries can exhaust connection pools faster than the server can recover, effectively taking the app offline. If you haven't shipped Cache Components to production yet, this one doesn't apply to you.

Both DoS vectors are genuinely bad for production apps without rate limiting in front of them. If you're not rate-limiting your RSC endpoints already, our Next.js rate limiting and bot protection guide covers the setup from scratch.

Cache Poisoning and XSS - Lower Priority but Still Real

Six advisories cover cache poisoning and XSS. These are rated Moderate or Low, but that doesn't mean ignore them it means they require specific conditions to be exploitable.

• RSC cache poisoning: Responses from React Server Components can be poisoned via crafted requests if your app sits behind a shared caching layer. The cache stores a tainted response, which then gets served to legitimate users.

• RSC cache-busting collision: A second, lower-severity cache issue crafted requests can collide with existing cache keys and corrupt stored RSC payloads.

• XSS via CSP nonces (App Router): If you use Content Security Policy nonces in the App Router and consume untrusted input in nonce generation, an attacker can inject script content. This is a narrow condition but a real XSS if you're doing anything custom with CSP nonce handling.

• XSS via beforeInteractive scripts: Scripts loaded with the beforeInteractive strategy in Next.js can be exploited for XSS if they consume untrusted input. Same narrow condition as above.

The practical advice here: patch and move on. Don't spend time analyzing whether your specific setup is exploitable the upgrade takes 2 minutes and closes all 13 at once.

How to Upgrade Next.js - The Safe Step-by-Step Path

I've done this upgrade on three production apps since the disclosure. Here's what actually works without surprises.

1. Check your current version first. Run npx next --version in your project root. If you're on 16.2.3 or earlier, you need this patch. The fixed version is 16.2.4 for the v16 branch. Older major versions have corresponding patched releases.

2. Read your lock file before upgrading. If you're using pnpm or yarn, look at what peer dependency versions are pinned alongside Next.js. React 19.x is the upstream dependency that matters the RSC DoS fix requires React to be patched too.

3. Upgrade Next.js and React together.

   npm install next@latest react@latest react-dom@latest

   Or with pnpm:

   pnpm add next@latest react@latest react-dom@latest

4. Run your test suite immediately. Don't deploy blind. The most common break I've seen post-upgrade is around middleware configuration specifically if you're still using the old middleware.ts naming on Next.js 16 (it's now proxy.ts).

5. Deploy to staging first. Check your auth flows end to end login, protected route access, logout. The middleware bypass fixes change how pattern matching works internally, so it's worth verifying your protection still behaves as expected (it should, but test it).

6. Verify the patched version is live. After deployment, check /_next/static/chunks/main.js bundle headers or your server logs to confirm the Next.js version string matches the patched release.

If you use JWTs in your auth setup, our free JWT Decoder tool lets you inspect and verify your tokens in the browser useful for confirming auth is still working correctly after the upgrade without writing debug code.

Post-Upgrade Checklist Don't Skip This

Patching Next.js closes the vulnerabilities, but there are a few things worth verifying manually after the upgrade:

• Test your auth middleware against all protected routes. Hit your protected endpoints directly (not through the UI) and confirm they return 401/403 as expected. The segment-prefetch bypass specifically works by targeting prefetch URLs, so test those too: append ?_rsc=1 to your protected route URLs and confirm they're still gated.

• Check your WebSocket configuration if self-hosted. If your app uses WebSockets or sits behind a proxy that forwards Upgrade headers, review your reverse proxy config (nginx, Caddy, etc.) to make sure only legitimate upgrade requests reach Next.js.

• Audit CSP nonce usage if you've customized it. Search your codebase for nonce in App Router layout files. If you're constructing nonces from any request data, review that logic.

• Review Cache Component usage. If you've shipped Cache Components, verify that your caching layer sits behind auth don't cache RSC responses for authenticated content without scoping by user.

• Update your dependencies in CI. Add next@latest to your Dependabot or Renovate config so future patches get picked up automatically as PRs.

If You Can't Upgrade Right Now - Mitigations That Actually Help

Ideally, you upgrade. But sometimes a frozen release window, a client sign-off process, or a staging freeze makes immediate patching impossible. Here's what reduces your exposure in the meantime.

For the SSRF bug specifically: block WebSocket upgrade requests at your reverse proxy or load balancer if your app doesn't actually use WebSockets. In nginx, that's a single deny rule on $http_upgrade. This won't fix the vulnerability but removes the primary attack vector.

For the middleware bypass issues: add a secondary auth check at the Server Action or API Route level — don't rely solely on middleware for authorization. This is good security hygiene regardless of patches, and we cover it thoroughly in our Next.js Server Actions security guide.

For the DoS vectors: rate limit your RSC and Server Function endpoints aggressively. Even a simple 60 requests/minute per IP limit at the edge reduces the attack surface significantly.

These are workarounds, not fixes. Patch as soon as your release window allows.

Frequently Asked Questions

What is CVE-2026-44578 in Next.js?

CVE-2026-44578 is a server-side request forgery (SSRF) vulnerability affecting self-hosted Next.js applications that use the built-in Node.js server. A remote, unauthenticated attacker can send crafted WebSocket upgrade requests that cause the server to proxy requests to arbitrary internal or external destinations including cloud metadata services like AWS IMDS. It scored 8.6 on the CVSS scale (High severity) and was patched in the May 2026 Next.js security release.

Which versions of Next.js are affected by the May 2026 security patch?

All active major versions are affected: Next.js 13.x, 14.x, 15.x, and 16.x. Vercel shipped patched releases for each branch simultaneously. For the v16 branch, the fixed version is 16.2.4. Check the official changelog for the corresponding patched versions on older branches. If you're on Next.js 12 or earlier, it reached end-of-life these advisories weren't formally addressed for those versions, which is one more reason to upgrade to a supported release.

How do I know if my Next.js app has been exploited?

For the SSRF vulnerability, check your server access logs for unusual outbound HTTP requests particularly to 169.254.169.254 (AWS IMDS) or other internal IP ranges. For middleware bypass attempts, look for requests to prefetch URLs (?_rsc= query params) hitting protected routes. For DoS activity, look for unusual CPU spikes on your application server correlated with RSC endpoint hits. If you see any of these patterns before applying the patch, rotate your cloud credentials immediately.

Does this patch affect Next.js apps deployed on Vercel?

Apps deployed on Vercel's managed platform were protected at the infrastructure level before the public disclosure Vercel deployed mitigations across their platform as part of the coordinated disclosure process. However, you should still upgrade your Next.js version even on Vercel to get the full fix applied at the application layer. Self-hosted apps on any VPS, cloud VM, or container environment need to upgrade immediately.

What is the difference between middleware bypass and SSRF in this context?

These are two different attack categories. The SSRF (CVE-2026-44578) makes your server issue HTTP requests to unintended destinations it's an outbound attack that leaks internal network access. The middleware bypass vulnerabilities let external attackers skip your authorization logic and access protected routes directly it's an inbound authentication failure. Both are dangerous, but in different ways: SSRF can expose infrastructure credentials, while middleware bypass exposes protected application content and functionality.

Should I patch immediately if I'm not using WebSockets or middleware?

Yes. Even if you don't use WebSockets (removing SSRF risk) or auth middleware (removing bypass risk), the DoS and cache poisoning vulnerabilities still apply to standard App Router apps with React Server Components. Unpatched RSC DoS can take your app offline under attack, and cache poisoning can serve corrupted responses to legitimate users. The upgrade takes under 5 minutes and closes all 13 advisories at once there's no good reason to delay it.