CVE-2026-27978
March 17, 2026
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, "origin: null" was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating "'null'" as an explicit origin value and enforcing host/origin checks unless "'null'" is explicitly allowlisted in "experimental.serverActions.allowedOrigins". If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer "SameSite=Strict" on sensitive auth cookies, and/or do not allow "'null'" in "serverActions.allowedOrigins" unless intentionally required and additionally protected.
Affected Packages
https://github.com/vercel/next.js.git (GITHUB):
Affected version(s) >=v16.0.1 <v16.1,7Fix Suggestion:
Update to version v16.1,7next (NPM):
Affected version(s) >=16.0.1 <16.1.7Fix Suggestion:
Update to version 16.1.7Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
EPSS
Base Score:
0.01
