Next.js patched against multiple critical vulnerabilities including SSRF and auth bypass

Vercel released urgent security updates (Next.js 15.5.16 and 16.2.5) addressing multiple high-severity vulnerabilities including CVE-2026-44578 (critical SSRF in self-hosted apps), CVE-2026-44575 (middleware auth bypass in App Router), and CVE-2026-23870/CVE-2026-44579 (DoS vulnerabilities). Vercel-managed deployments are NOT affected by the SSRF flaw; only self-hosted Node.js deployments are vulnerable.