CVE-2026-27978: CWE-352: Cross-Site Request Forgery (CSRF) in vercel next.js
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
AI Analysis
Technical Summary
This vulnerability, tracked as CVE-2026-27978, affects the Next.js React framework versions from 16.0.1 up to but not including 16.1.7. Next.js introduced Server Actions to facilitate server-side operations triggered by client requests. During CSRF validation of these Server Actions, the framework incorrectly treated requests with an 'origin' header value of 'null' as if the origin was missing, rather than recognizing 'null' as a distinct origin. 'Origin: null' typically appears in requests originating from opaque contexts such as sandboxed iframes or certain cross-origin scenarios. Because of this misclassification, requests from these opaque contexts bypassed the origin verification step, allowing attackers to craft malicious web pages that induce victim browsers to submit Server Actions from sandboxed iframes. This results in CSRF attacks where state-changing operations can be executed with the victim's credentials without their consent. The vulnerability does not require authentication but does require user interaction (e.g., visiting a malicious page). The fix introduced in Next.js 16.1.7 explicitly treats 'null' as an origin value and enforces host and origin checks unless 'null' is explicitly allowlisted in the experimental serverActions.allowedOrigins configuration. This patch closes the bypass vector. If immediate upgrading is not feasible, developers are advised to implement CSRF tokens on sensitive Server Actions, use SameSite=Strict on authentication cookies to limit cross-site cookie transmission, and avoid allowing 'null' origins unless additional protections are in place. The CVSS 4.0 score of 5.3 reflects a medium severity due to network attack vector, no privileges required, no user authentication needed, but requiring user interaction and causing limited integrity impact without affecting confidentiality or availability.
Potential Impact
The primary impact of this vulnerability is the potential for unauthorized execution of state-changing Server Actions within Next.js applications, leading to integrity violations. Attackers can exploit this flaw to perform actions on behalf of authenticated users without their consent, such as modifying user data, changing application settings, or triggering transactions. While confidentiality and availability are not directly affected, the integrity compromise can lead to downstream effects including data corruption, unauthorized operations, or privilege escalation within the application context. Organizations relying on Next.js for critical web applications may face reputational damage, regulatory compliance issues, and operational disruptions if exploited. The vulnerability is exploitable remotely over the network without authentication but requires user interaction, which may limit large-scale automated exploitation. However, targeted attacks against high-value users or applications remain a significant risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate future exploitation potential, especially as awareness grows.
Mitigation Recommendations
The most effective mitigation is to upgrade all affected Next.js instances to version 16.1.7 or later, where the vulnerability is fully patched. For environments where immediate upgrading is not possible, developers should implement CSRF tokens on all sensitive Server Actions to ensure requests are validated beyond origin headers. Additionally, setting authentication cookies with the SameSite=Strict attribute reduces the risk of cross-site cookie transmission, limiting CSRF attack vectors. It is critical to avoid allowing 'null' origins in the experimental.serverActions.allowedOrigins configuration unless absolutely necessary and only with additional protective controls such as strict CSRF tokens or custom origin validation. Developers should also audit their applications for any Server Actions that perform state-changing operations and ensure they are properly protected. Monitoring web traffic for unusual requests originating from opaque contexts or sandboxed iframes can help detect exploitation attempts. Finally, educating users about the risks of interacting with untrusted sites can reduce the likelihood of successful user interaction-based attacks.
Affected Countries
United States, Germany, United Kingdom, India, Canada, Australia, France, Japan, South Korea, Netherlands, Brazil, Singapore
CVE-2026-27978: CWE-352: Cross-Site Request Forgery (CSRF) in vercel next.js
Description
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
AI-Powered Analysis
Technical Analysis
This vulnerability, tracked as CVE-2026-27978, affects the Next.js React framework versions from 16.0.1 up to but not including 16.1.7. Next.js introduced Server Actions to facilitate server-side operations triggered by client requests. During CSRF validation of these Server Actions, the framework incorrectly treated requests with an 'origin' header value of 'null' as if the origin was missing, rather than recognizing 'null' as a distinct origin. 'Origin: null' typically appears in requests originating from opaque contexts such as sandboxed iframes or certain cross-origin scenarios. Because of this misclassification, requests from these opaque contexts bypassed the origin verification step, allowing attackers to craft malicious web pages that induce victim browsers to submit Server Actions from sandboxed iframes. This results in CSRF attacks where state-changing operations can be executed with the victim's credentials without their consent. The vulnerability does not require authentication but does require user interaction (e.g., visiting a malicious page). The fix introduced in Next.js 16.1.7 explicitly treats 'null' as an origin value and enforces host and origin checks unless 'null' is explicitly allowlisted in the experimental serverActions.allowedOrigins configuration. This patch closes the bypass vector. If immediate upgrading is not feasible, developers are advised to implement CSRF tokens on sensitive Server Actions, use SameSite=Strict on authentication cookies to limit cross-site cookie transmission, and avoid allowing 'null' origins unless additional protections are in place. The CVSS 4.0 score of 5.3 reflects a medium severity due to network attack vector, no privileges required, no user authentication needed, but requiring user interaction and causing limited integrity impact without affecting confidentiality or availability.
Potential Impact
The primary impact of this vulnerability is the potential for unauthorized execution of state-changing Server Actions within Next.js applications, leading to integrity violations. Attackers can exploit this flaw to perform actions on behalf of authenticated users without their consent, such as modifying user data, changing application settings, or triggering transactions. While confidentiality and availability are not directly affected, the integrity compromise can lead to downstream effects including data corruption, unauthorized operations, or privilege escalation within the application context. Organizations relying on Next.js for critical web applications may face reputational damage, regulatory compliance issues, and operational disruptions if exploited. The vulnerability is exploitable remotely over the network without authentication but requires user interaction, which may limit large-scale automated exploitation. However, targeted attacks against high-value users or applications remain a significant risk. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate future exploitation potential, especially as awareness grows.
Mitigation Recommendations
The most effective mitigation is to upgrade all affected Next.js instances to version 16.1.7 or later, where the vulnerability is fully patched. For environments where immediate upgrading is not possible, developers should implement CSRF tokens on all sensitive Server Actions to ensure requests are validated beyond origin headers. Additionally, setting authentication cookies with the SameSite=Strict attribute reduces the risk of cross-site cookie transmission, limiting CSRF attack vectors. It is critical to avoid allowing 'null' origins in the experimental.serverActions.allowedOrigins configuration unless absolutely necessary and only with additional protective controls such as strict CSRF tokens or custom origin validation. Developers should also audit their applications for any Server Actions that perform state-changing operations and ensure they are properly protected. Monitoring web traffic for unusual requests originating from opaque contexts or sandboxed iframes can help detect exploitation attempts. Finally, educating users about the risks of interacting with untrusted sites can reduce the likelihood of successful user interaction-based attacks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-25T03:24:57.793Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b9ee21771bdb1749ef1e18
Added to database: 3/18/2026, 12:13:21 AM
Last enriched: 3/18/2026, 12:27:39 AM
Last updated: 3/18/2026, 2:55:04 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.