CVE-2026-27978

Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.7

Description Next.js, a React framework for building full-stack web applications, had a flaw in its Server Action CSRF validation. Specifically, origin: null was incorrectly treated as a missing origin, allowing requests from opaque contexts like sandboxed iframes to bypass origin verification. This could enable an attacker to induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions using the victim's credentials, leading to a Cross-Site Request Forgery (CSRF) attack. The issue was addressed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins. The API endpoint is susceptible to this issue when processing Server Actions. The vulnerable parameter is origin, which when set to null, bypasses the CSRF validation.

Recommendations Next.js versions prior to 16.1.7 should be upgraded to version 16.1.7 or later. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions. Prefer SameSite=Strict on sensitive authentication cookies. Do not allow 'null' in experimental.serverActions.allowedOrigins unless intentionally required and additionally protected.