PT-2026-30990 · Unknown · Redwoodsdk
Zebbern
·
Published
2026-04-07
·
Updated
2026-04-08
·
CVE-2026-39371
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
RedwoodSDK versions 1.0.0-beta.50 through 1.0.5
Description
RedwoodSDK server functions exported from "use server" files were callable via GET requests, circumventing intended HTTP method restrictions. In applications using cookie-based authentication, this permitted cross-site GET requests to initiate state modifications, as browsers include SameSite=Lax cookies with top-level GET requests. This impacted all server functions, including
serverAction() handlers and directly exported functions within "use server" files.Recommendations
Update to RedwoodSDK version 1.0.6 or later.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Redwoodsdk