CVE-2026-39371 HIGH

CVE-2026-39371: RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests

Vendor Redwoodjs
Product sdk
Weakness CWE-352 · CSRF
Published April 7, 2026
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 8, 2026 Record updated