CVE-2026-27978
ADVISORY - githubSummary
Summary
origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.
Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
Patches
Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.
Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer
SameSite=Stricton sensitive auth cookies. - Do not allow
'null'inserverActions.allowedOriginsunless intentionally required and additionally protected.
Common Weakness Enumeration (CWE)
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Origin Validation Error
NIST
2.8
CVSS SCORE
5.3mediumGitHub
-
CVSS SCORE
5.3mediumRed Hat
2.8
CVSS SCORE
4.3mediumminimos
MINI-c5hg-9ww7-fp9h
-
minimos
MINI-hrwq-7pv7-87hw
-