CVE-2026-27978 in next.js
Summary
by MITRE • 03/18/2026
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability described in CVE-2026-27978 represents a critical server-side request forgery issue within the Next.js framework that affects versions 16.0.1 through 16.1.6. This flaw specifically targets the Server Actions CSRF validation mechanism where the framework incorrectly interpreted `origin: null` as a missing origin value rather than treating it as a legitimate explicit origin. The technical implementation error stems from how Next.js handled origin validation during server action processing, creating a security gap that allowed malicious actors to bypass crucial cross-origin protection measures. The vulnerability is classified under CWE-346, which addresses "Improper Verification of Cryptographic Signature" and more specifically relates to improper validation of origin parameters in web applications. This issue directly impacts the framework's ability to distinguish between legitimate requests and potentially malicious cross-origin submissions, particularly when dealing with sandboxed contexts that naturally produce null origins.
The operational impact of this vulnerability extends beyond simple CSRF protection failure to encompass potential unauthorized state changes within applications built on Next.js. When requests originate from opaque contexts such as sandboxed iframes, the framework's validation logic would incorrectly permit these requests to proceed without proper cross-origin verification. This creates a scenario where an attacker could craft malicious web pages that induce victims to submit Server Actions from sandboxed contexts, effectively executing unauthorized operations with the victim's credentials and session data. The attack vector leverages the browser's security model where sandboxed iframes naturally produce null origins, which the vulnerable Next.js versions failed to properly validate. This vulnerability aligns with ATT&CK technique T1203, "Exploitation for Client Execution," and T1566, "Phishing," as attackers could exploit user trust to deliver malicious payloads that exploit this specific validation flaw.
The fix implemented in Next.js version 16.1.7 addresses this vulnerability by explicitly treating `'null'` as a valid origin value and enforcing proper host/origin checks unless `'null'` is explicitly allowlisted in the `experimental.serverActions.allowedOrigins` configuration. This change ensures that null origins are no longer treated as missing values but rather as specific origin identifiers that must be validated against the configured allowlist. Organizations that cannot immediately upgrade can implement several mitigation strategies to reduce risk exposure. These include implementing CSRF tokens for sensitive Server Actions, which provides an additional layer of protection beyond origin validation. Additionally, using `SameSite=Strict` on sensitive authentication cookies helps prevent cross-site request forgery by ensuring cookies are only sent with requests originating from the same site. The most critical mitigation involves carefully reviewing and restricting the `serverActions.allowedOrigins` configuration to avoid allowing `'null'` unless absolutely necessary and only when additional protective measures are in place. This approach aligns with defense-in-depth principles and follows industry best practices for mitigating similar vulnerabilities in web application frameworks. The vulnerability demonstrates the importance of proper origin validation in modern web frameworks and highlights how seemingly minor implementation details in security controls can create significant attack surfaces that require careful attention to maintain application integrity.