UNKNOWN npm
Next.js: null origin can bypass Server Actions CSRF checks
GHSA-mq59-m269-xvcx · CVE-2026-27978
Published · Modified
Description
Summary
origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.
Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
Patches
Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.
Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer
SameSite=Stricton sensitive auth cookies. - Do not allow
'null'inserverActions.allowedOriginsunless intentionally required and additionally protected.
References
- WEB https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-27978
- WEB https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
- PACKAGE https://github.com/vercel/next.js
- WEB https://github.com/vercel/next.js/releases/tag/v16.1.7
Ready to move
Start Securing
Free, no credit card | First findings in minutes