Skip to main content

RedwoodSDK EUVDEUVD-2026-28823

| CVE-2026-42190 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-08 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 20:34 vuln.today
Analysis Generated
May 08, 2026 - 20:34 vuln.today
CVE Published
May 08, 2026 - 19:35 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.

AnalysisAI

Same-site Cross-Site Request Forgery (CSRF) in RedwoodSDK server actions allows attackers controlling same-site origins to invoke arbitrary server actions with victim session cookies in versions 1.0.0-beta.50 through 1.2.2. The vulnerability stems from missing origin validation despite HTTP method enforcement, enabling attackers to trigger state-changing operations through subdomain takeover, sibling-application XSS, or local development vectors. Vendor-released patch version 1.2.3 enforces Origin/Host matching validation. CVSS 5.3 reflects high integrity impact (UI:R) but constrained attack complexity (AC:H) and no information disclosure.

Technical ContextAI

RedwoodSDK is a server-first React framework that implements server actions as a mechanism for invoking server-side functions from client code. The vulnerability exists in the server action execution pipeline, which validates HTTP methods but lacks cross-origin request validation. The framework relies on SameSite=Lax session cookies for authentication, which the browser attaches to same-site requests regardless of origin. CWE-352 (Cross-Site Request Forgery) captures the root cause: the application fails to validate that requests originate from the legitimate application origin before performing sensitive state-changing operations. This is particularly critical because modern SameSite cookie policies (Lax/Strict) depend on browser Same-Site definition, which differs from Same-Origin: requests from app.example.com to attacker.example.com are treated as same-site, allowing cookie attachment despite origin mismatch.

RemediationAI

Upgrade RedwoodSDK to version 1.2.3 or later; no application code changes are required for applications that invoke server actions only from their own origin. The patch enforces Origin/Host header matching for non-GET action requests and rejects mismatched origins with HTTP 403. Applications that legitimately invoke server actions from different origins must configure the new allowedOrigins option on defineApp() to whitelist those origins explicitly. As a temporary mitigation prior to patching, restrict server action invocation to same-origin requests only via deployment configuration, implement explicit CSRF token validation independent of origin checks, or disable cookie-based authentication in favor of token-based methods (Bearer tokens) that are not automatically attached to cross-site requests. Each mitigation has trade-offs: deployment-level blocking may affect legitimate multi-origin architectures; manual CSRF tokens require code changes; token-based auth requires authentication refactoring. Reference: https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c.

Share

EUVD-2026-28823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy