{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39371", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.350Z", "datePublished": "2026-04-07T19:28:30.941Z", "dateUpdated": "2026-04-08T17:46:55.661Z"}, "containers": {"cna": {"title": "RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq"}], "affected": [{"vendor": "redwoodjs", "product": "sdk", "versions": [{"version": ">= 1.0.0-beta.50, < 1.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:28:30.941Z"}, "descriptions": [{"lang": "en", "value": "RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from \"use server\" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in \"use server\" files. This vulnerability is fixed in 1.0.6."}], "source": {"advisory": "GHSA-x8rx-789c-2pxq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T17:46:46.520082Z", "id": "CVE-2026-39371", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T17:46:55.661Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests", "source": {"advisory": "GHSA-x8rx-789c-2pxq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "redwoodjs", "product": "sdk", "versions": [{"status": "affected", "version": ">= 1.0.0-beta.50, < 1.0.6"}]}], "references": [{"url": "https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq", "name": "https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from \"use server\" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in \"use server\" files. This vulnerability is fixed in 1.0.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:28:30.941Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39371", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T17:46:46.520082Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-08T17:46:51.324Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-39371", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:28:30.941Z", "dateReserved": "2026-04-06T21:29:17.350Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T19:28:30.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from \"use server\" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in \"use server\" files. This vulnerability is fixed in 1.0.6."}], "id": "CVE-2026-39371", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:31.980", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0-beta.50,1.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "sdk", "source": "cna", "vendor": "redwoodjs"}, "product": "sdk", "vendor": "redwoodjs"}], "analysis": {"en": {"generated_at": "2026-04-07T22:20:07.000466+00:00", "value": {"mitigation_remediation": ["Upgrade RedwoodSDK to version 1.0.6 or later"], "summary": {"action": "Apply Patch", "impact": "Unrestricted State Change via CSRF"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the RedwoodJS SDK, specifically server\u2011first React applications built with RedwoodSDK versions 1.0.0\u2011beta.50 through 1.0.5. All server functions defined in \"use server\" files, whether named handlers or exported bare functions, are impacted.", "description_and_impact": "RedwoodSDK allows server functions exported from \"use server\" files to be invoked with GET requests instead of their intended HTTP methods when using versions 1.0.0\u2011beta.50 to 1.0.5. In applications that rely on cookie authentication and use SameSite=Lax headers, browsers automatically send the authentication cookie on top\u2011level GET requests. As a result, a malicious site can trigger state\u2011changing functions by simply loading a URL, enabling attackers to perform unintended actions without authorization. This constitutes a classic CSRF vulnerability that can affect any server\u2011side logic exposed through the framework.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. Although EPSS is not available and the issue is not listed in the KEV catalog, the attack vector is clear: a cross\u2011site GET request can exploit the flaw if the victim is authenticated with a SameSite=Lax cookie. The lack of a mitigation in earlier releases and the potential for state\u2011changing operations make exploitation highly likely in environments that expose these functions to the public. Monitoring for unusual requests can help detect exploitation, but the vulnerability's impact remains significant until patched."}}}}, "created": "2026-04-08T19:34:40.894513+00:00", "updated": "2026-04-08T19:46:16.025173+00:00", "vendors": ["redwoodjs", "redwoodjs$PRODUCT$sdk"]}