CVE-2026-39371
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Description
**Summary** Server functions exported from `"use server"` files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send `SameSite=Lax` cookies on top-level GET requests. This affected all server functions -- both `serverAction()` handlers and bare exported functions in `"use server"` files. **Impact** An attacker could construct a URL containing a known action ID and JSON-encoded arguments. When a victim with an active session visited or was redirected to this URL, the function executed with the victim's credentials. This affected any server function that performs state-changing operations (writes, deletes, mutations) in applications using cookie-based authentication. **Remediation** Update to rwsdk `1.0.6`. No application code changes are required. The fix enforces the declared HTTP method at dispatch time. GET requests to server functions that require POST now return `405 Method Not Allowed`.
How to fix CVE-2026-39371
To remediate CVE-2026-39371, upgrade the affected package to a fixed version below.
- —upgrade to 1.0.6 or later
Is CVE-2026-39371 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.0.0-beta.50, < 1.0.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |