What happened
Unauthenticated HTTP request with crafted WebSocket upgrade headers proxied through Next.js server to cloud metadata endpoints
2026-05-11
HighMedia reportCVE-2026-44578: Vibe-coded Next.js apps deployed without security review become SSRF proxies (CVSS 8.6)
CVE-2026-44578 (CVSS 8.6): Vibe-coded Next.js apps deployed without dependency governance let unauthenticated attackers proxy to cloud metadata endpoints and steal credentials.
AI Coding Agents + Next.jsCredential exposureFramework vulnerability in AI-generated deploymentSelf-hosted Next.js servers / cloud VPS instances
Why it matters
Potential credential theft from AWS IMDSv1, Azure IMDS, and Oracle Cloud metadata endpoints on any self-hosted Next.js instance running affected versions (13.4.13–15.5.15, 16.0.0–16.2.4)
Missing authorization check
Deploy-time dependency audit requirement and framework version sign-off before AI-generated code reaches production
Would PP block it?
A PP-enforced deployment receipt for AI-generated code could require: (1) npm audit clean pass, (2) framework version within a defined safe window, (3) human security sign-off for any self-hosted production push. Without that gate, vibe-coded apps land in production with no dependency review. PP doesn't eliminate the CVE, but it closes the governance gap that let unreviewed AI-generated code reach self-hosted production for months without a patch.
Incident analysis
Timeline and technical read
Timeline
2026-05-11
Vercel ships patches for CVE-2026-44578 (Next.js 15.5.16 and 16.2.5)
2026-05-11
Affected versions confirmed: Next.js 13.4.13–15.5.15 and 16.0.0–16.2.4; Vercel-hosted apps not affected
2026-05-20
VibeAudits.com publishes technical breakdown noting vibe-coded apps as primary at-risk population
2026-05-20
Security community flags that most AI-generated Next.js deployments have no framework update mechanism
Technical breakdown
- Next.js WebSocket upgrade handler processed absolute-form URLs without applying the same routing safety checks as standard HTTP requests, enabling SSRF
- Exploit requires only crafted HTTP headers (Upgrade: websocket + Connection: Upgrade + absolute target URL) — no authentication needed
- On AWS IMDSv1, GCP (non-Upgrade header filtering), Azure, and Oracle: the proxy can reach 169.254.169.254 and equivalent metadata endpoints to retrieve credentials
- AWS IMDSv2 and Vercel-managed deployments are not vulnerable; self-hosted VPS instances on older cloud configs are the primary attack surface
- Vibe-coded apps disproportionately affected: generated by AI, deployed once, no ongoing dependency governance or security feed subscription
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Deploy Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- Deployment authorization gate (pre-production push)
- Still needs
- PP cannot enforce framework-level patching schedules or runtime vulnerability scanning after deployment.
- Receipt required for
- Production deployment of AI-generated code — must name framework version, dependency audit result, and reviewer identity
PP's deploy gate can enforce a required security review checkpoint before production deployment, but cannot patch the underlying Next.js vulnerability.
Start small
Put the relevant gate at this action boundary.
This incident maps to Deploy Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.