CVE-2026-27978
Received Received - Intake
CSRF Bypass in Next.js Server Actions via Null Origin

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vercel next.js From 16.0.1 (inc) to 16.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27978 is a moderate severity vulnerability in the Next.js framework affecting versions from 16.0.1 up to but not including 16.1.7. The issue arises because the origin value "null" was incorrectly treated as a missing origin during Server Actions Cross-Site Request Forgery (CSRF) validation.'}, {'type': 'paragraph', 'content': "This flaw allowed requests originating from opaque contexts, such as sandboxed iframes, to bypass origin verification checks instead of being recognized as cross-origin requests. As a result, an attacker could trick a victim's browser into submitting Server Actions from a sandboxed context, potentially executing state-changing actions with the victim's credentials."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 16.1.7 by explicitly treating "null" as a valid origin value and enforcing strict host/origin checks unless "null" is explicitly allowlisted in the experimental configuration parameter `experimental.serverActions.allowedOrigins`.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks by inducing a victim's browser to submit Server Actions from a sandboxed or opaque context. This means unauthorized state-changing actions could be executed using the victim's credentials without their consent."}, {'type': 'paragraph', 'content': 'The impact includes unauthorized changes to application state, potentially leading to data manipulation or other unintended side effects. However, it does not impact confidentiality or availability.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves monitoring for Server Action requests originating from opaque contexts such as sandboxed iframes where the origin header is 'null'. Such requests bypass origin verification in vulnerable versions of Next.js."}, {'type': 'paragraph', 'content': "You can inspect HTTP requests to your Next.js server for requests with an origin header set to 'null' or missing, which should normally be rejected or carefully validated."}, {'type': 'paragraph', 'content': "Example commands to detect suspicious requests include using network traffic capture tools like tcpdump or Wireshark to filter HTTP requests with origin 'null':"}, {'type': 'list_item', 'content': "tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Origin: null'"}, {'type': 'list_item', 'content': "Using curl to simulate a request with origin 'null' to test server response: curl -H 'Origin: null' -X POST https://your-nextjs-app/api/server-action"}, {'type': 'paragraph', 'content': 'Additionally, reviewing server logs for warnings about missing or mismatched origin headers can help identify attempts to exploit this vulnerability.'}] [1, 2]

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade Next.js to version 16.1.7 or later, where the vulnerability is fixed by explicitly treating 'null' as a valid origin and enforcing strict host/origin checks."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, apply the following workarounds:'}, {'type': 'list_item', 'content': 'Add CSRF tokens to sensitive Server Actions to ensure requests are validated beyond origin checks.'}, {'type': 'list_item', 'content': 'Set sensitive authentication cookies with the SameSite=Strict attribute to prevent them from being sent in cross-origin requests.'}, {'type': 'list_item', 'content': "Avoid allowing 'null' in the configuration parameter experimental.serverActions.allowedOrigins unless absolutely necessary and ensure additional protections are in place if it is allowed."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27978. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart