{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27978", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.793Z", "datePublished": "2026-03-17T23:59:22.600Z", "dateUpdated": "2026-03-18T19:48:04.820Z"}, "containers": {"cna": {"title": "Next.js: null origin can bypass Server Actions CSRF checks", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx"}, {"name": "https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8"}, {"name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"version": ">= 16.0.1, < 16.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:23:59.876Z"}, "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected."}], "source": {"advisory": "GHSA-mq59-m269-xvcx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T19:47:56.377866Z", "id": "CVE-2026-27978", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:48:04.820Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27978", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T19:47:56.377866Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:48:00.450Z"}}], "cna": {"title": "Next.js: null origin can bypass Server Actions CSRF checks", "source": {"advisory": "GHSA-mq59-m269-xvcx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": ">= 16.0.1, < 16.1.7"}]}], "references": [{"url": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx", "name": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8", "name": "https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "name": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T00:23:59.876Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27978", "state": "PUBLISHED", "dateUpdated": "2026-03-18T19:48:04.820Z", "dateReserved": "2026-02-25T03:24:57.793Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T23:59:22.600Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B6AA61BB-C5CD-4725-9A02-BEFA55D52351", "versionEndExcluding": "16.1.7", "versionStartIncluding": "16.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected."}, {"lang": "es", "value": "Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versi\u00f3n 16.0.1 y antes de la versi\u00f3n 16.1.7, `origin: null` fue tratado como un origen 'faltante' durante la validaci\u00f3n CSRF de las Server Actions. Como resultado, las solicitudes de contextos opacos (como iframes en sandbox) pod\u00edan eludir la verificaci\u00f3n de origen en lugar de ser validadas como solicitudes de origen cruzado. Un atacante podr\u00eda inducir a un navegador v\u00edctima a enviar Server Actions desde un contexto en sandbox, ejecutando potencialmente acciones que cambian el estado con credenciales de la v\u00edctima (CSRF). Esto se corrigi\u00f3 en la versi\u00f3n 16.1.7 al tratar `'null'` como un valor de origen expl\u00edcito y al aplicar comprobaciones de host/origen a menos que `'null'` est\u00e9 expl\u00edcitamente en la lista de permitidos en `experimental.serverActions.allowedOrigins`. Si la actualizaci\u00f3n no es posible de inmediato, a\u00f1ada tokens CSRF para Server Actions sensibles, prefiera `SameSite=Strict` en cookies de autenticaci\u00f3n sensibles, y/o no permita `'null'` en `serverActions.allowedOrigins` a menos que sea intencionalmente requerido y adicionalmente protegido."}], "id": "CVE-2026-27978", "lastModified": "2026-03-18T20:05:48.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T00:16:20.117", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vercel/next.js/releases/tag/v16.1.7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "next.js: Next.js: null origin can bypass Server Actions CSRF checks", "id": "2448513", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448513"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-346", "details": ["A CSRF check bypass flaw has been discovered in Next.js. The `origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27978", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/bootc-rocm-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "rhelai3/disk-image-cuda-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "com.github.streamshub-console", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-03-17T23:59:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27978\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27978\nhttps://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8\nhttps://github.com/vercel/next.js/releases/tag/v16.1.7\nhttps://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.1,16.1.7)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "next.js", "source": "cna", "vendor": "vercel"}, "product": "next.js", "vendor": "vercel"}], "analysis": {"en": {"generated_at": "2026-03-19T02:54:52.506520+00:00", "value": {"mitigation_remediation": ["Upgrade Next.js to version 16.1.7 or later to enforce explicit origin validation", "Configure experimental.serverActions.allowedOrigins to permit \"null\" only if explicitly required and correctly filter such requests", "Add CSRF tokens to all sensitive Server Actions", "Prefer SameSite=Strict on authentication cookies to reduce browser\u2011side attack surface"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Request Forgery via null origin bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Vercel Next.js framework. All releases in the 16.x series from version 16.0.1 up through 16.1.6 are affected. The specific product identifier is cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*. No other vendors or products are listed as affected.", "description_and_impact": "In Next.js, when an HTTP request\u2019s origin header is set to the string \"null\" it is currently treated as if no origin were supplied during Server Action CSRF validation. This logic flaw means that requests originating from opaque contexts\u2014such as sandboxed iframes or other contexts that set the origin to \"null\"\u2014are effectively allowed through the CSRF check. An attacker can exploit this behavior by causing a victim\u2019s browser to load a malicious resource that sends a Server Action request with an origin of \"null\". Because the request is not rejected, the action can be executed with the victim\u2019s credentials, resulting in unauthorized state change. The affected weakness is a missing origin check (CWE\u2011346) and a classic Cross\u2011Site Request Forgery vulnerability (CWE\u2011352).", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. EPSS is recorded as less than 1%, implying a low projected exploitation likelihood under current threat intelligence. This issue is not listed in the CISA KEV catalog. The attack vector is client\u2011side: an attacker must embed a malicious iframe or otherwise force a victim\u2019s browser to issue a Server Action with an origin of \"null\". Exploitation requires that the target application enables Server Actions and that a user who is authenticated visits or views the malicious content. If an application has elevated privileges tied to these actions, the misuse can lead to unauthorized data modification. Given the requirements, the immediate threat is moderate but mitigatable by applying the vendor patch or recommended workarounds."}}}}, "created": "2026-03-18T10:42:26.287277+00:00", "updated": "2026-03-24T10:54:14.582288+00:00", "vendors": ["vercel", "vercel$PRODUCT$next.js"]}