CVE-2026-39371

moderate-risk
Published 2026-04-07

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

Affected Products (11)

Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk
Redwoodsdk

Affected Vendors

Rwsdk

References (1)

Vendor Advisory https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq
44
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 0/34 · Minimal
Exposure 16/34 · Moderate