1.0.1
1.0.6
CVE-2026-39371 describes a Cross-Site Request Forgery (CSRF) vulnerability within the rwsdk component of Next.js. This flaw allows attackers to invoke server functions using GET requests, circumventing the intended HTTP method restrictions. The vulnerability impacts all server functions, including serverAction() handlers and exported functions within "use server" files, potentially leading to unauthorized state changes. The vulnerability is fixed in version 1.0.6.
An attacker can exploit this vulnerability by crafting a malicious URL containing a known action ID and JSON-encoded arguments. When a victim with an active session visits this URL, the browser will automatically send the request, including the session cookie, triggering the server function. This allows the attacker to perform actions on behalf of the victim without their knowledge or consent. The impact can range from minor data modifications to complete account takeover, depending on the functionality exposed by the server functions. This vulnerability is particularly concerning in cookie-authenticated applications, as browsers automatically include SameSite=Lax cookies on top-level GET requests, making exploitation easier.
CVE-2026-39371 was published on 2026-04-08. Severity is rated HIGH (CVSS: 8.1). Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be easily exploited once a POC is released. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation at this time. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39371 is to upgrade to Next.js rwsdk version 1.0.6 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and output encoding on the server-side to prevent malicious data from being processed. Additionally, implement robust CSRF protection mechanisms, such as synchronizer tokens or double-submit cookies, to further harden your application. Review all "use server" functions and ensure they are not accessible via GET requests unless explicitly intended. After upgrading, confirm the fix by attempting to trigger a server function via a GET request and verifying that it is rejected.
Actualice RedwoodSDK a la versión 1.0.6 o superior para mitigar la vulnerabilidad de CSRF. Esta actualización corrige el problema al garantizar que las funciones del servidor solo puedan ser invocadas a través del método HTTP especificado.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39371 is a Cross-Site Request Forgery (CSRF) vulnerability in the Next.js rwsdk component. It allows attackers to trigger server functions via GET requests, potentially leading to unauthorized actions.
You are affected if you are using Next.js rwsdk versions prior to 1.0.6 and your application relies on cookie-based authentication.
Upgrade to Next.js rwsdk version 1.0.6 or later. Implement stricter input validation and CSRF protection mechanisms as a temporary workaround.
While no active exploitation has been publicly reported, the vulnerability's nature suggests it could be easily exploited once a proof-of-concept is released. Monitor security advisories.
Refer to the Next.js security advisories and release notes on the official Next.js website for the latest information and updates regarding CVE-2026-39371.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.