Skip to main content

Sdk CVE-2026-39371

| EUVDEUVD-2026-19888 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-07 GitHub_M GHSA-x8rx-789c-2pxq
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19888
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:28 nvd
HIGH 8.1

DescriptionGitHub Advisory

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

AnalysisAI

Cross-Site Request Forgery (CSRF) in RedwoodSDK 1.0.0-beta.50 through 1.0.5 allows unauthenticated remote attackers to execute state-changing server functions via crafted GET requests. The vulnerability stems from server functions exported from 'use server' files accepting GET requests despite being intended for POST-only invocation, enabling exploitation through cross-site navigation in cookie-authenticated applications where browsers automatically attach SameSite=Lax cookies to top-level GET requests. CVSS score 8.1 reflects high integrity and availability impact with low attack complexity requiring only user interaction. No public exploit identified at time of analysis, with EPSS data unavailable. Fixed in version 1.0.6.

Technical ContextAI

RedwoodSDK is a server-first React framework (cpe:2.3:a:redwoodjs:sdk) that implements React Server Components patterns with 'use server' directives for server-side function execution. The vulnerability (CWE-352: Cross-Site Request Forgery) occurs in the framework's HTTP method handling layer. Server functions decorated with 'use server' - including both serverAction() handlers and bare exported functions - failed to enforce POST-only invocation and incorrectly accepted GET requests. In browser security contexts, SameSite=Lax cookie policy (the default for most modern applications) sends authentication cookies on top-level cross-origin GET navigations but blocks them on cross-origin POST requests. This design prevents CSRF on POST endpoints but assumes GET requests are safe. The framework's failure to restrict HTTP methods created a gap where authenticated state-changing operations became vulnerable to cross-site GET-based attacks, violating the fundamental HTTP semantic that GET should be idempotent and safe.

RemediationAI

Upgrade RedwoodSDK to version 1.0.6 or later immediately, which implements proper HTTP method validation to restrict server functions to POST requests only. The vendor-released patch addresses the root cause by enforcing method-based routing controls on all 'use server' exported functions. Organizations unable to upgrade immediately should implement defense-in-depth measures: deploy anti-CSRF tokens for all state-changing operations, configure stricter SameSite=Strict cookie policies if application workflow permits (note this may break legitimate cross-site navigation scenarios), and review server function exports to ensure no sensitive operations are accessible. Validate that authentication middleware enforces token-based CSRF protection as secondary control. Consult the GitHub security advisory at https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq for framework-specific upgrade guidance and compatibility considerations.

Share

CVE-2026-39371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy