Platform
nodejs
Component
next
Fixed in
16.0.2
16.1.7
CVE-2026-27978 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in next.js Server Actions. This flaw allows attackers to induce a victim's browser to submit Server Actions from a sandboxed context, potentially leading to unauthorized state changes. The vulnerability impacts versions of next.js prior to 16.1.7, and a patch has been released to address the issue.
The core of the vulnerability lies in how next.js Server Actions handled the origin: null value during CSRF validation. Instead of treating it as a missing origin, it was interpreted as a valid, albeit empty, origin. This allowed requests originating from opaque contexts, such as sandboxed iframes, to bypass origin checks. Consequently, an attacker could craft malicious requests that appear to originate from the victim's browser, tricking the server into executing Server Actions with the victim's credentials. The potential impact includes unauthorized data modification, account takeover, and other actions that the victim would normally be authorized to perform. This vulnerability is particularly concerning given the increasing reliance on Server Actions for handling sensitive operations within next.js applications.
This vulnerability was publicly disclosed on 2026-03-17. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is considered medium due to the potential for CSRF attacks, although the requirement for a sandboxed context may limit its immediate exploitability. It has not been added to the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
The primary mitigation for CVE-2026-27978 is to upgrade to next.js version 16.1.7 or later. This version treats 'null' as an explicit origin value and enforces stricter host/origin checks, effectively preventing the bypass. If an immediate upgrade is not feasible, consider implementing a temporary workaround by explicitly allowlisting 'null' in the experimental.serve configuration. However, this approach should be carefully evaluated as it may introduce other security risks. Thoroughly review and test any configuration changes before deploying them to production. After upgrading, confirm the fix by attempting to submit a Server Action from a sandboxed iframe and verifying that the request is properly blocked.
Update Next.js to version 16.1.7 or higher. If updating is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive authentication cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27978 is a Cross-Site Request Forgery (CSRF) vulnerability in next.js Server Actions that allows attackers to bypass origin verification and potentially execute actions with victim credentials.
You are affected if you are using a version of next.js prior to 16.1.7 and utilize Server Actions in your application.
Upgrade to next.js version 16.1.7 or later. As a temporary workaround, you can explicitly allowlist 'null' in the experimental.serve configuration, but this should be carefully evaluated.
There are currently no known active exploits for CVE-2026-27978, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the official next.js security advisory for detailed information and updates: [https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.