Next.js 16.2.6 and 15.5.18 Ship 13 Security Fixes: Patch Now

Vercel released Next.js 16.2.6 and 15.5.18 with 13 security advisories: 7 high, 4 moderate, and 2 low severity. The most critical issues include four middleware authorization bypass techniques (CVSS 7.5–8.1), a WebSocket SSRF (CVSS 8.6), an upstream React Server Components DoS (CVE-2026-23870), cache poisoning bugs, and XSS vulnerabilities. Self-hosted deployments are fully exposed until patched. The fix is straightforward — run `npm install next@latest` on your current major and redeploy. The post also covers temporary workarounds, a self-hosting security checklist, and architectural lessons emphasizing defense-in-depth beyond middleware-only authorization.