Leaving Vercel in 2026: The Real Self-Hosting Cost Math

Why are developers reevaluating Vercel in mid-2026?

Two reasons: a security incident and billing complexity. On April 19-20, 2026, Vercel confirmed a breach originating from a Context.ai employee compromised by Lumma Stealer malware, with attackers decrypting customer environment variables; the data was offered for $2M under the ShinyHunters name. That single event moved self-hosting from a cost discussion to a risk discussion.

The attack chain matters because it was not exotic. As of June 2026, the public account is that infostealer malware on one Context.ai employee's machine gave the attacker credentials, they pivoted through OAuth into a Vercel employee's Google Workspace and Vercel account, and from there they enumerated and decrypted environment variables that customers had stored on the platform. A ShinyHunters-branded post on BreachForums offered the data for $2M, and Vercel confirmed customer data was stolen for a subset of customers. To be fair where fairness is due: there is no evidence Next.js or Turbopack were affected. The framework is fine. The lesson is about where your secrets live, not about the code you ship.

The second reason is older and duller: billing. Vercel meters across eight dimensions, and the March 19, 2026 Active CPU pricing reset helped predictability but did not remove the surprise factor. I have audited more than one invoice during app rescue engagements ↗ where an unoptimized image route or a chatty ISR setup quietly tripled a client's monthly spend. When the bill is a function of eight meters, nobody on a small team actually knows next month's number.

What changed to make self-hosted Next.js a first-class citizen?

Next.js 16.2 ships a stable public Adapter API, co-developed with the OpenNext maintainers plus engineers from Netlify, Cloudflare, AWS Amplify, and Google Cloud, growing out of the April 2025 Build Adapters RFC. It gives platforms a typed, versioned build output with modifyConfig and onBuildComplete hooks. Self-hosted Next.js is no longer reverse-engineering Vercel's internals.

This is the part that made me comfortable moving production apps. Before the Adapter API, projects like OpenNext had to chase undocumented build output formats every minor release, and self-hosted deployments broke in subtle ways. Now the contract is public: an adapter receives a typed manifest of routes, middleware, ISR configuration, and assets, and decides how to host them. The fact that Vercel built this with its direct competitors is the strongest signal yet that the company treats framework neutrality seriously, and it removes my main long-term fear, which was betting client infrastructure on an unofficial shim.

For a single VPS you do not even need an adapter. output: 'standalone' plus a Dockerfile has been stable since Next.js 12, and 16.2 did not change that. What the Adapter API changed is confidence: the escape hatch is now a documented door.

What does a 100k-visits/month Next.js app actually cost?

For a 100k-visits/month Next.js app with ISR and image optimization, Vercel Pro realistically costs $40-150/mo ($20/seat plus metered overages), while a Hetzner CPX21 at €5.19/mo plus free open-source Coolify lands at $6-17/mo all-in. The best documented case I know of is a team that dropped from hundreds per month to $17/mo, a 97% reduction.

FROM node:22-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM node:22-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
COPY --from=builder /app/.next/standalone ./
COPY --from=builder /app/.next/static ./.next/static
COPY --from=builder /app/public ./public
EXPOSE 3000
CMD ["node", "server.js"]

I kept one client on Vercel deliberately. Their content team pushes constant copy changes through PR previews, reviewed by non-technical stakeholders, and their edge middleware does geo-based pricing. Their $60/mo bill is less than one hour of my time. Migrating them would save money on paper and cost money in practice. That is the test I now apply to every new web development engagement ↗: who looks at preview URLs, and who answers the pager?

What does my actual hosting bill look like?

As of June 2026: €18.41/mo, about $20, for five production apps. One CPX21 (€5.19 plus €1.04 backups) runs this portfolio and two small client sites. One CPX31 (€10.49 plus backups) runs my reputation SaaS, the one with AI auto-replies, plus its Postgres and a Redis queue. Coolify costs nothing on either box.

Traffic-wise this setup is boring in the best way. A growing share of my visits now arrives from AI engines rather than spiky social referrals, a pattern I covered in my piece on getting cited by ChatGPT and Perplexity ↗, and steady predictable traffic is exactly the profile a fixed-cost VPS rewards. The same portfolio on Vercel Pro, with image optimization and ISR metered, was tracking toward $90/mo before I moved. I spend about three hours a month on ops across both servers. At my rate that is the real total: roughly $200/mo of money plus time, versus $300+ of money alone. The margin is smaller than the headline 97% case, and it is still clearly worth it for me.

Key takeaways

• The April 19-20, 2026 breach (Lumma Stealer on a Context.ai employee, OAuth pivot, decrypted customer env vars, a $2M ShinyHunters sale post) made platform-stored secrets a risk question, though Next.js itself was not affected.


• Next.js 16.2's stable Adapter API, built with OpenNext, Netlify, Cloudflare, and AWS, means self-hosted Next.js is no longer second-class.


• For a 100k-visits/month app, expect $40-150/mo on Vercel Pro versus $6-17/mo on Hetzner CPX21 plus Coolify; one documented team cut hundreds to $17, a 97% drop.


• Budget 2-4 ops hours a month at your billing rate; self-hosting only wins clearly once that time amortizes across multiple apps.


• Vercel still wins for team preview workflows, heavy edge/ISR, and zero ops appetite; the VPS wins for solo devs, steady traffic, and cost-sensitive clients.