CSRF Vulnerability in React Router by Remix-run
CVE-2026-22030

6.5MEDIUM

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 10 January 2026

What is CVE-2026-22030?

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in React Router, specifically affecting versions of @remix-run/server-runtime prior to 2.17.3 and react-router between versions 7.0.0 and 7.11.0. This vulnerability allows attackers to execute unauthorized actions on behalf of authenticated users when document POST requests are directed to UI routes. The issue arises when leveraging server-side route action handlers in Framework Mode or React Server Actions in the new unstable RSC mode. It is important to note that there is no risk when using Declarative Mode or Data Mode configurations. Users are strongly encouraged to upgrade to the patched versions for enhanced security.

Affected Version(s)

react-router @remix-run/router < 2.17.3 < @remix-run/router 2.17.3

react-router react-router >= 7.0.0, < 7.12.0 < react-router 7.0.0, 7.12.0

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Jan 5, 2026

JSON