RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.
References
| Link | Resource |
|---|---|
| https://github.com/redwoodjs/sdk/releases/tag/v1.2.3 | Product Release Notes |
| https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
14 May 2026, 13:54
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/redwoodjs/sdk/releases/tag/v1.2.3 - Product, Release Notes | |
| References | () https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c - Vendor Advisory | |
| CPE | cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta56:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta52:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta58:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta55:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta51:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta50:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta57:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53_test20260205213024:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:*:*:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta54:*:*:*:*:*:* cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53:*:*:*:*:*:* |
|
| First Time |
Redwoodjs
Redwoodjs redwoodsdk |
08 May 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-08 20:16
Updated : 2026-06-17 10:47
NVD link : CVE-2026-42190
Mitre link : CVE-2026-42190
CVE.ORG link : CVE-2026-42190
JSON object : View
Products Affected
redwoodjs
- redwoodsdk
CWE
CWE-352
Cross-Site Request Forgery (CSRF)