Description
Security patch: bumps Next.js from 16.1.7 → 16.2.6 in apps/web to
fix CVE-2026-44578 (CVSS 8.6),
a WebSocket-Upgrade Server-Side Request Forgery vulnerability in self-hosted
Next.js deployments.
Why this matters
CVE-2026-44578 lets an unauthenticated attacker send a crafted absolute-form
HTTP request with Upgrade: websocket headers and force the Next.js server
to proxy traffic to arbitrary internal destinations — internal services,
admin panels, cloud metadata endpoints. Successful exploitation can leak
cloud credentials, API keys, and secrets reachable from the Next pod.
Vulnerable range: 13.4.13+, 14.x, 15.x < 15.5.16, 16.0.0 – 16.2.4.
Fixed in 15.5.16 / 16.2.5 (or 15.5.18 / 16.2.6 for Turbopack users).
Vercel-managed deployments are not affected — only self-hosted Next on
its built-in Node server is vulnerable.
Scope
apps/web is the self-hosted frontend: it builds via
.github/workflows/self_hosted_build.yml into the
composio-self-host/frontend ECR image and is deployed to customer
Kubernetes clusters by helm-charts as the frontend service. It runs
next start inside the container, which is exactly the vulnerable
deployment shape. The SaaS deployment of this app on Vercel
(platform.composio.dev) is unaffected by the bug, so this bump only
matters for self-hosted / on-prem customers — but the same bump covers
both code paths.
apps/web uses Turbopack (next dev --turbopack), so 16.2.6 (the
Turbopack-safe patch) is chosen over the minimum 16.2.5.
Changes
apps/web/package.json: "next": "16.1.7" → "next": "16.2.6"package.json (root pnpm overrides): "next": ">=16.1.7" → ">=16.2.6"pnpm-lock.yaml: regenerated
No code changes — version bump only.
How did I test this PR
pnpm install resolves cleanly; only pre-existing peer-dep warnings
(drizzle / zod / @anthropic-ai/sdk) reappear, none introduced by this bump.pnpm build from repo root: 3/3 turbo tasks successful with
▲ Next.js 16.2.6 (Turbopack). Compile, TypeScript check, page data
collection, and route generation all pass.pnpm lint in apps/web: 0 errors, 305 pre-existing warnings (unchanged).- Confirmed installed version:
node_modules/.pnpm/next@16.2.6_....
A Vercel preview build will validate the SaaS path on this PR; the
self-hosted image is rebuilt by [Self Hosted] Frontend Build and Push
once this lands on main (manual workflow_dispatch).
Follow-ups for the on-prem release
- Trigger the self-hosted build workflow.
- Cut a
helm-charts release that pins the new image tag.
- Notify self-hosted customers via the standard channel.
@zen-agent