CVE-2026-27978

ADVISORY - github

Summary

Summary

origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

Impact

An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

Patches

Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.

Workarounds

If upgrade is not immediately possible:

  • Add CSRF tokens for sensitive Server Actions.
  • Prefer SameSite=Strict on sensitive auth cookies.
  • Do not allow 'null' in serverActions.allowedOrigins unless intentionally required and additionally protected.
EPSS Score: 0.002 (0.100)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Cross-Site Request Forgery (CSRF)

ADVISORY - github

Cross-Site Request Forgery (CSRF)

ADVISORY - redhat

Origin Validation Error


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in