Cross-Site Vulnerabilities in RedwoodSDK Framework by RedwoodJS
CVE-2026-39371

8.1HIGH

Key Information:

Vendor: Redwoodjs
Status: Sdk
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39371?

RedwoodSDK, a server-first React framework, contains a vulnerability where server functions, defined in 'use server' files, can be invoked through GET requests, disregarding their designated HTTP methods. This flaw enables attackers to exploit cookie-authenticated applications, triggering state-changing operations via cross-site GET navigations. Browsers deliver SameSite=Lax cookies during top-level GET requests, facilitating such unauthorized function calls. This concern is prevalent across all server actions, including serverAction() handlers and directly exported functions. This issue has been resolved in version 1.0.6.

Affected Version(s)

sdk >= 1.0.0-beta.50, < 1.0.6

References

https://github.com/redwoodjs/sdk/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39371 Data

JSON

Redwoodjs

What is CVE-2026-39371?

Affected Version(s)

References

CVSS V3.1

Timeline