CVE-2026-44578 is a server-side request forgery vulnerability in the Next.js npm package exploitable via the WebSocket upgrade mechanism, with a CVSS score of 8.1. Successful exploitation allows an attacker to force the application server to make unauthorized requests to internal resources including cloud metadata endpoints, internal APIs, and private network services. No active exploitation or KEV listing has been confirmed at time of publication, but SSRF against cloud metadata APIs represents a direct path to credential theft and lateral movement in cloud-hosted deployments.