CVE-2026-42190

Name of the Vulnerable Software and Affected Versions RedwoodSDK versions 1.0.0-beta.50 through 1.2.2

Description Server actions in rwsdk apply HTTP method enforcement but lack origin validation. This allows a request from a different origin, which the browser treats as same-site, to invoke a server action using the victim's session cookie. This affects applications using serverAction() or functions invoked via the RSC action protocol combined with cookie-based authentication. The impact is limited to the side effects of action invocation, such as writes and state changes, as the attacker cannot read the responses. Exposure occurs if an attacker controls a sibling subdomain on custom domains or a separate process on localhost during local development. Requests from unrelated origins are not affected due to SameSite=Lax cookie defaults.

Recommendations Update to version 1.2.3. For applications that legitimately invoke server actions from another origin, add those origins to the allowedOrigins option on defineApp.