CVE-2026-39371

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redwoodjs:redwoodsdk::::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta50::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta51::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta52::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53_test20260205213024::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta54::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta55::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta56::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta57::::::
	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta58::::::

History

05 May 2026, 15:31

Type	Values Removed	Values Added
First Time		Redwoodjs Redwoodjs redwoodsdk
CPE	cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta51::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk::::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta52::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta54::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta50::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta58::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta55::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53_test20260205213024::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta56::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta57::::node.js::*	cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta50:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta55:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53_test20260205213024:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta56:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta57:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta52:::::: cpe:2.3:a:redwoodjs:redwoodsdk:::::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta51:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta54:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta58:::::: cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53::::::

24 Apr 2026, 18:14

Type	Values Removed	Values Added
First Time		Rwsdk Rwsdk redwoodsdk
References	~~() https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq -~~	() https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq - Vendor Advisory
CPE		cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta51::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk::::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta55::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta52::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta58::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta57::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta50::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53_test20260205213024::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta56::::node.js::* cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta54::::node.js::*

07 Apr 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 20:16

Updated : 2026-06-17 10:42

NVD link : CVE-2026-39371

Mitre link : CVE-2026-39371

CVE.ORG link : CVE-2026-39371

JSON object : View

Products Affected

redwoodjs

redwoodsdk

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

8.1 /10