Description
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
Published: 2026-04-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted State Change via CSRF
Action: Apply Patch
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x8rx-789c-2pxq RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
History

Tue, 05 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redwoodjs redwoodsdk
CPEs cpe:2.3:a:rwsdk:redwoodsdk:*:*:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta50:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta51:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta52:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53_test20260205213024:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta54:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta55:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta56:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta57:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta58:*:*:*:node.js:*:*		 cpe:2.3:a:redwoodjs:redwoodsdk:*:*:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta50:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta51:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta52:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53_test20260205213024:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta54:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta55:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta56:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta57:*:*:*:*:*:*
cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta58:*:*:*:*:*:*
Vendors & Products Rwsdk
Rwsdk redwoodsdk
Redwoodjs redwoodsdk

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Rwsdk
Rwsdk redwoodsdk
CPEs cpe:2.3:a:rwsdk:redwoodsdk:*:*:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta50:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta51:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta52:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53_test20260205213024:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta54:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta55:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta56:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta57:*:*:*:node.js:*:*
cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta58:*:*:*:node.js:*:*
Vendors & Products Rwsdk
Rwsdk redwoodsdk

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Redwoodjs
Redwoodjs sdk
Vendors & Products Redwoodjs
Redwoodjs sdk

Wed, 08 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
Title RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Redwoodjs Redwoodsdk Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T17:46:55.661Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39371

cve-icon Vulnrichment

Updated: 2026-04-08T17:46:51.324Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T20:16:31.980

Modified: 2026-05-05T15:31:14.843

Link: CVE-2026-39371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:16Z

Weaknesses