Skip to main content

Red Hat CVE-2026-27978

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-17 https://github.com/vercel/next.js GHSA-mq59-m269-xvcx
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 15:30 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 47 npm packages depend on next (45 direct, 2 indirect)

Ecosystem-wide dependent count for version 16.0.1.

DescriptionGitHub Advisory

Summary

origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

Impact

An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

Patches

Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.

Workarounds

If upgrade is not immediately possible:

  • Add CSRF tokens for sensitive Server Actions.
  • Prefer SameSite=Strict on sensitive auth cookies.
  • Do not allow 'null' in serverActions.allowedOrigins unless intentionally required and additionally protected.

AnalysisAI

Server Action CSRF validation in Next.js incorrectly treats null origins from sandboxed contexts as missing origins, allowing attackers to bypass verification and trick victim browsers into executing state-changing actions with their credentials. This affects applications relying on origin checks for CSRF protection without additional safeguards. A patch is available that enforces strict origin validation unless null is explicitly allowlisted.

Technical ContextAI

Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests. This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352).

RemediationAI

A vendor patch is available — apply it immediately. Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.

Vendor StatusVendor

Share

CVE-2026-27978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy