Description
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

RedwoodSDK server actions from version 1.0.0-beta.50 through the release preceding 1.2.3 enforce HTTP methods but omit origin validation, enabling a same‑site CSRF attack. An attacker can craft a malicious web page that, when visited by a victim, causes the browser to send a request to a server action using the victim’s authenticated session cookie. This can lead to unauthorized manipulation of application data or state, compromising the integrity of the affected system. The weakness is identified as CWE‑352.

Affected Systems

All users of Redwood SDK versions 1.0.0‑beta.50 to 1.2.2 inclusive are affected. The patch is supplied in version 1.2.3, which introduces proper origin checks for server actions.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. The likely attack vector is same‑site CSRF, requiring that the attacker host a page which the victim’s browser loads and that the victim be authenticated to the target site. While the exploit does not require elevated privileges beyond a normal user session, the ability to trigger privileged actions can have significant impact. Given the absence of advanced prerequisites and the lack of a known public exploit, the overall risk is moderate, but active mitigation is recommended.

Generated by OpenCVE AI on May 8, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RedwoodSDK to version 1.2.3 or later, which adds origin validation to server actions
  • If an immediate upgrade is unavailable, implement a strict Origin header check for server action endpoints or disable cross‑origin requests for those endpoints
  • Configure CORS policies to allow only trusted origins for server actions, ensuring that same‑site requests from untrusted sources are rejected
  • Enable logging of unexpected cross‑origin requests to detect potential abuse

Generated by OpenCVE AI on May 8, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2m6-cff5-3w7c RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
History

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Redwoodjs
Redwoodjs sdk
Vendors & Products Redwoodjs
Redwoodjs sdk

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.
Title RedwoodSDK: Same-site CSRF in in server actions
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Redwoodjs Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:35:17.905Z

Reserved: 2026-04-25T01:53:21.583Z

Link: CVE-2026-42190

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:31.580

Modified: 2026-05-08T20:16:31.580

Link: CVE-2026-42190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses