CVE-2026-27978
ADVISORY - githubSummary
Summary
origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.
Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
Patches
Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.
Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer
SameSite=Stricton sensitive auth cookies. - Do not allow
'null'inserverActions.allowedOriginsunless intentionally required and additionally protected.
Common Weakness Enumeration (CWE)
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF)
Origin Validation Error
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in