CVE-2026-39371
Published: 07 April 2026
Summary
CVE-2026-39371 is a high-severity CSRF (CWE-352) vulnerability in Redwoodjs Redwoodsdk. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-39371 affects RedwoodSDK, a server-first React framework, in versions from 1.0.0-beta.50 to 1.0.5. The vulnerability allows server functions exported from "use server" files—both serverAction() handlers and bare exported functions—to be invoked via GET requests, bypassing their intended HTTP methods. This issue stems from a failure to enforce HTTP method restrictions, enabling unintended access to state-changing operations. The flaw is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and is associated with CWE-352 (Cross-Site Request Forgery).
Attackers can exploit this vulnerability in cookie-authenticated RedwoodSDK applications by tricking users into performing cross-site top-level GET navigations, such as clicking a malicious link. Browsers send SameSite=Lax cookies with these top-level GET requests, allowing the requests to authenticate as the victim user and trigger arbitrary server functions. No privileges are required for the attacker, though user interaction is needed; successful exploitation can result in high integrity and availability impacts, such as unauthorized state changes, without affecting confidentiality.
The GitHub security advisory at https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq details the issue and confirms it is fixed in RedwoodSDK version 1.0.6, recommending immediate upgrades for affected installations. Practitioners should review applications using server functions in "use server" files, verify authentication mechanisms, and test for method enforcement post-upgrade.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19888
Vulnerability details
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions,…
more
because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a weakness in the RedwoodSDK public-facing web application framework allowing unauthorized invocation of server functions via GET requests (CSRF), directly enabling exploitation of the application for state-changing operations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-39371 by remediating the flaw in RedwoodSDK through timely patching to version 1.0.6, which enforces HTTP method restrictions on server functions.
Validates HTTP method inputs to server functions exported from 'use server' files, preventing unauthorized invocation via GET requests that bypass intended methods.
Enforces access control policies requiring specific HTTP methods for state-changing server functions, blocking cross-site GET navigations that exploit cookie authentication.