CVE-2026-42190

Published: May 8, 2026Modified: May 14, 2026

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 1.6 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.

Affected (11)

Products: Redwoodjs: Redwoodsdk

Redwoodjs

1 product

Redwoodsdk

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Redwoodjs Redwoodsdk	From 1.0.1 to 1.2.3
Redwoodjs Redwoodsdk	Version 1.0.0 beta50
Redwoodjs Redwoodsdk	Version 1.0.0 beta51
Redwoodjs Redwoodsdk	Version 1.0.0 beta52
Redwoodjs Redwoodsdk	Version 1.0.0 beta53
Redwoodjs Redwoodsdk	Version 1.0.0 beta53_test20260205213024
Redwoodjs Redwoodsdk	Version 1.0.0 beta54
Redwoodjs Redwoodsdk	Version 1.0.0 beta55
Redwoodjs Redwoodsdk	Version 1.0.0 beta56
Redwoodjs Redwoodsdk	Version 1.0.0 beta57
Redwoodjs Redwoodsdk	Version 1.0.0 beta58

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/redwoodjs/sdk/releases/tag/v1.2.3

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.