CVE-2026-42190

MEDIUM 5.3

RedwoodSDK: Same-site CSRF in in server actions

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.

CWE	CWE-352
Vendor	redwoodjs
Product	sdk
Published	May 8, 2026

Stay Ahead of the Next One

Get instant alerts for redwoodjs sdk

Be the first to know when new medium vulnerabilities affecting redwoodjs sdk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

redwoodjs / sdk

>= 1.0.0-beta.50, < 1.2.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c github.com: https://github.com/redwoodjs/sdk/releases/tag/v1.2.3