Plattform
nodejs
Komponente
next
Behoben in
16.0.2
16.1.7
CVE-2026-27978 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in next.js Server Actions. This flaw allows attackers to induce a victim's browser to submit Server Actions from a sandboxed context, potentially leading to unauthorized state changes. The vulnerability impacts versions of next.js prior to 16.1.7, and a patch has been released to address the issue.
The core of the vulnerability lies in how next.js Server Actions handled the origin: null value during CSRF validation. Instead of treating it as a missing origin, it was interpreted as a valid, albeit empty, origin. This allowed requests originating from opaque contexts, such as sandboxed iframes, to bypass origin checks. Consequently, an attacker could craft malicious requests that appear to originate from the victim's browser, tricking the server into executing Server Actions with the victim's credentials. The potential impact includes unauthorized data modification, account takeover, and other actions that the victim would normally be authorized to perform. This vulnerability is particularly concerning given the increasing reliance on Server Actions for handling sensitive operations within next.js applications.
This vulnerability was publicly disclosed on 2026-03-17. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is considered medium due to the potential for CSRF attacks, although the requirement for a sandboxed context may limit its immediate exploitability. It has not been added to the CISA KEV catalog at the time of this writing.
Applications utilizing next.js Server Actions, particularly those that handle sensitive user data or perform critical operations, are at risk. This includes applications with complex authentication flows, financial transactions, or any functionality that relies on user credentials. Shared hosting environments where multiple applications share the same server configuration may also be affected.
• nodejs / server:
# Check for next.js version
npm list next• nodejs / server:
# Review next.js configuration for experimental.serve settings
grep -r 'experimental.serve' next.config.js• nodejs / server:
# Check for any unusual Server Action calls from iframes (review application logs)
grep -r 'Server Action' application.logdisclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-27978 is to upgrade to next.js version 16.1.7 or later. This version treats 'null' as an explicit origin value and enforces stricter host/origin checks, effectively preventing the bypass. If an immediate upgrade is not feasible, consider implementing a temporary workaround by explicitly allowlisting 'null' in the experimental.serve configuration. However, this approach should be carefully evaluated as it may introduce other security risks. Thoroughly review and test any configuration changes before deploying them to production. After upgrading, confirm the fix by attempting to submit a Server Action from a sandboxed iframe and verifying that the request is properly blocked.
Aktualisieren Sie Next.js auf Version 16.1.7 oder höher. Wenn ein Upgrade nicht sofort möglich ist, fügen Sie CSRF-Token für sensible Server Actions hinzu, bevorzugen Sie `SameSite=Strict` in sensiblen Authentifizierungscookies und/oder erlauben Sie `'null'` nicht in `serverActions.allowedOrigins`, es sei denn, es ist absichtlich erforderlich und zusätzlich geschützt.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27978 is a Cross-Site Request Forgery (CSRF) vulnerability in next.js Server Actions that allows attackers to bypass origin verification and potentially execute actions with victim credentials.
You are affected if you are using a version of next.js prior to 16.1.7 and utilize Server Actions in your application.
Upgrade to next.js version 16.1.7 or later. As a temporary workaround, you can explicitly allowlist 'null' in the experimental.serve configuration, but this should be carefully evaluated.
There are currently no known active exploits for CVE-2026-27978, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the official next.js security advisory for detailed information and updates: [https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.