CVE-2026-39371

HIGH

RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests

Title source: cna

Description

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

Exploits (1)

nomisec STUB

by zebbernCVE · poc

https://github.com/zebbernCVE/CVE-2026-39371

View Code ZIP pw:eip

References (1)

[X_Refsource_Confirm] https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq

Scores

CVSS v3 8.1

EPSS 0.0001

EPSS Percentile 0.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Details

CWE

CWE-352

Status published

Products (4)

npm/rwsdk 1.0.0-beta.50 - 1.0.6npm

redwoodjs/sdk >= 1.0.0-beta.50, < 1.0.6

rwsdk/redwoodsdk 1.0.0 beta50 (10 CPE variants)

rwsdk/redwoodsdk 1.0.1 - 1.0.6

Published Apr 07, 2026

Tracked Since Apr 08, 2026