Red Hat CVE-2026-27978
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 47 npm packages depend on next (45 direct, 2 indirect)
Ecosystem-wide dependent count for version 16.0.1.
DescriptionGitHub Advisory
Summary
origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.
Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
Patches
Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.
Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer
SameSite=Stricton sensitive auth cookies. - Do not allow
'null'inserverActions.allowedOriginsunless intentionally required and additionally protected.
AnalysisAI
Server Action CSRF validation in Next.js incorrectly treats null origins from sandboxed contexts as missing origins, allowing attackers to bypass verification and trick victim browsers into executing state-changing actions with their credentials. This affects applications relying on origin checks for CSRF protection without additional safeguards. A patch is available that enforces strict origin validation unless null is explicitly allowlisted.
Technical ContextAI
Cross-Site Request Forgery forces authenticated users to perform unintended actions by tricking their browser into sending forged requests. This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352).
RemediationAI
A vendor patch is available — apply it immediately. Implement anti-CSRF tokens for all state-changing operations. Use SameSite cookie attribute. Verify the Origin/Referer header on the server side.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mq59-m269-xvcx