Cyber Resilience

CVE-2026-39371

High

Published: 07 April 2026

Published
07 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0021 11.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39371 is a high-severity CSRF (CWE-352) vulnerability in Redwoodjs Redwoodsdk. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-39371 affects RedwoodSDK, a server-first React framework, in versions from 1.0.0-beta.50 to 1.0.5. The vulnerability allows server functions exported from "use server" files—both serverAction() handlers and bare exported functions—to be invoked via GET requests, bypassing their intended HTTP methods. This issue stems from a failure to enforce HTTP method restrictions, enabling unintended access to state-changing operations. The flaw is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and is associated with CWE-352 (Cross-Site Request Forgery).

Attackers can exploit this vulnerability in cookie-authenticated RedwoodSDK applications by tricking users into performing cross-site top-level GET navigations, such as clicking a malicious link. Browsers send SameSite=Lax cookies with these top-level GET requests, allowing the requests to authenticate as the victim user and trigger arbitrary server functions. No privileges are required for the attacker, though user interaction is needed; successful exploitation can result in high integrity and availability impacts, such as unauthorized state changes, without affecting confidentiality.

The GitHub security advisory at https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq details the issue and confirms it is fixed in RedwoodSDK version 1.0.6, recommending immediate upgrades for affected installations. Practitioners should review applications using server functions in "use server" files, verify authentication mechanisms, and test for method enforcement post-upgrade.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions,…

more

because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a weakness in the RedwoodSDK public-facing web application framework allowing unauthorized invocation of server functions via GET requests (CSRF), directly enabling exploitation of the application for state-changing operations.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23467Shared CWE-352
CVE-2018-25170Shared CWE-352
CVE-2025-22336Shared CWE-352
CVE-2025-23821Shared CWE-352
CVE-2025-22582Shared CWE-352
CVE-2025-23639Shared CWE-352
CVE-2024-50858Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2026-6455Shared CWE-352
CVE-2025-55044Shared CWE-352

Affected Assets

redwoodjs
redwoodsdk
1.0.0 · 1.0.1 — 1.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-39371 by remediating the flaw in RedwoodSDK through timely patching to version 1.0.6, which enforces HTTP method restrictions on server functions.

prevent

Validates HTTP method inputs to server functions exported from 'use server' files, preventing unauthorized invocation via GET requests that bypass intended methods.

prevent

Enforces access control policies requiring specific HTTP methods for state-changing server functions, blocking cross-site GET navigations that exploit cookie authentication.

References