PT-2026-25909 · Npm · Next
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-27978
CVSS v4.0
5.3
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Summary
origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
Patches
Fixed by treating
'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer
SameSite=Stricton sensitive auth cookies. - Do not allow
'null'inserverActions.allowedOriginsunless intentionally required and additionally protected.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Next