CVE-2026-27978

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-27978
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
CVSS

No CVSS.

References
Link Resource
https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
https://github.com/vercel/next.js/releases/tag/v16.1.7
https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
Configurations

No configuration.

History

18 Mar 2026, 14:52

Type Values Removed Values Added
Summary
  • (es) Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versión 16.0.1 y antes de la versión 16.1.7, `origin: null` fue tratado como un origen 'faltante' durante la validación CSRF de las Server Actions. Como resultado, las solicitudes de contextos opacos (como iframes en sandbox) podían eludir la verificación de origen en lugar de ser validadas como solicitudes de origen cruzado. Un atacante podría inducir a un navegador víctima a enviar Server Actions desde un contexto en sandbox, ejecutando potencialmente acciones que cambian el estado con credenciales de la víctima (CSRF). Esto se corrigió en la versión 16.1.7 al tratar `'null'` como un valor de origen explícito y al aplicar comprobaciones de host/origen a menos que `'null'` esté explícitamente en la lista de permitidos en `experimental.serverActions.allowedOrigins`. Si la actualización no es posible de inmediato, añada tokens CSRF para Server Actions sensibles, prefiera `SameSite=Strict` en cookies de autenticación sensibles, y/o no permita `'null'` en `serverActions.allowedOrigins` a menos que sea intencionalmente requerido y adicionalmente protegido.

18 Mar 2026, 01:16

Type Values Removed Values Added
Summary (en) Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrade is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected. (en) Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.

18 Mar 2026, 00:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-18 00:16

Updated : 2026-03-18 14:52

NVD link : CVE-2026-27978

Mitre link : CVE-2026-27978

CVE.ORG link : CVE-2026-27978

JSON object : View

Products Affected

No product.

CWE
CWE-352

Cross-Site Request Forgery (CSRF)