CVE-2026-27978

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8	Patch
https://github.com/vercel/next.js/releases/tag/v16.1.7	Release Notes
https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-03-18 00:16

Updated : 2026-03-18 20:05

NVD link : CVE-2026-27978

Mitre link : CVE-2026-27978

CVE.ORG link : CVE-2026-27978

JSON object : View

Products Affected

vercel

next.js

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2026-27978", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T00:16:20.117", "references": [{"url": "https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vercel/next.js/releases/tag/v16.1.7", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx", "tags": ["Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a \"missing\" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected."}, {"lang": "es", "value": "Next.js es un React framework para construir aplicaciones web full-stack. A partir de la versi\u00f3n 16.0.1 y antes de la versi\u00f3n 16.1.7, `origin: null` fue tratado como un origen 'faltante' durante la validaci\u00f3n CSRF de las Server Actions. Como resultado, las solicitudes de contextos opacos (como iframes en sandbox) pod\u00edan eludir la verificaci\u00f3n de origen en lugar de ser validadas como solicitudes de origen cruzado. Un atacante podr\u00eda inducir a un navegador v\u00edctima a enviar Server Actions desde un contexto en sandbox, ejecutando potencialmente acciones que cambian el estado con credenciales de la v\u00edctima (CSRF). Esto se corrigi\u00f3 en la versi\u00f3n 16.1.7 al tratar `'null'` como un valor de origen expl\u00edcito y al aplicar comprobaciones de host/origen a menos que `'null'` est\u00e9 expl\u00edcitamente en la lista de permitidos en `experimental.serverActions.allowedOrigins`. Si la actualizaci\u00f3n no es posible de inmediato, a\u00f1ada tokens CSRF para Server Actions sensibles, prefiera `SameSite=Strict` en cookies de autenticaci\u00f3n sensibles, y/o no permita `'null'` en `serverActions.allowedOrigins` a menos que sea intencionalmente requerido y adicionalmente protegido."}], "lastModified": "2026-03-18T20:05:48.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "B6AA61BB-C5CD-4725-9A02-BEFA55D52351", "versionEndExcluding": "16.1.7", "versionStartIncluding": "16.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}