High severity8.1NVD Advisory· Published Apr 7, 2026· Updated May 5, 2026
CVE-2026-39371
CVE-2026-39371
Description
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rwsdknpm | >= 1.0.0-beta.50, < 1.0.6 | 1.0.6 |
Affected products
11cpe:2.3:a:redwoodjs:redwoodsdk:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:redwoodjs:redwoodsdk:*:*:*:*:*:*:*:*range: >=1.0.1,<1.0.6
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta50:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta51:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta52:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53_test20260205213024:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta54:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta55:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta56:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta57:*:*:*:*:*:*
- cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta58:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-x8rx-789c-2pxqghsaADVISORY
- github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxqnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39371ghsaADVISORY
News mentions
0No linked articles in our index yet.