CVE-2026-42190— RedwoodSDK: Same-site CSRF in in server actions

RedwoodSDK: Same-site CSRF in in server actions

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

跨站请求伪造(CSRF)

RedwoodSDK 跨站请求伪造漏洞

RedwoodSDK是RedwoodJS开源的一个基于React的服务器优先Web应用框架。 RedwoodSDK 1.0.0-beta.50版本至1.2.3之前版本存在跨站请求伪造漏洞，该漏洞源于服务器操作应用HTTP方法强制但无来源验证，可能导致来自不同来源的请求被浏览器视为同站并附带受害者会话cookie调用服务器操作。

N/A

N/A