Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. waku
  4. ›
  5. CVE-2026-49455

CVE-2026-49455: Waku: Cross-Origin CSRF on RSC Server Action Dispatch

July 8, 2026

Waku’s RSC request dispatcher invokes server actions without validating the request’s Origin (or Sec-Fetch-Site) header. A cross-origin web attacker can therefore cause a victim browser to issue an authenticated POST to a registered server action endpoint using a CORS-safelisted content type (text/plain), which does not trigger a preflight. Any state-mutating server action that the application exposes via 'use server' can be invoked with the victim’s cookies attached. A working proof-of-concept demonstrates the vulnerability against waku 1.0.0-beta.0 dev server: a cross-origin POST with Content-Type: text/plain invokes a registered 'use server' action and returns HTTP 200 with an RSC stream response. The same defect affects the progressive-enhancement (no-JavaScript) server action path: a cross-origin HTML form auto-submitting multipart/form-data reaches the dispatch through a second unguarded branch of the request handler, dynamically confirmed on 2026-05-17. Both branches were confirmed exploitable from opaque-origin contexts (sandboxed iframes, file:// navigation, browser extension pages), which send Origin: null — a value no Origin guard exists to reject. This is the same vulnerability class previously disclosed for Next.js Server Actions (GHSA-mq59-m269-xvcx); waku’s implementation is broader in that no Origin check exists at all in the default request handler.

A cross-origin POST with Content-Type: text/plain to /<rscBase>/<encoded-action-path> reaches loadServerAction and invokes a registered 'use server' action with the victim’s browser-attached cookies.

References

  • github.com/advisories/GHSA-75w3-gmqx-993q
  • github.com/wakujs/waku/security/advisories/GHSA-75w3-gmqx-993q
  • nvd.nist.gov/vuln/detail/CVE-2026-49455

Code Behaviors & Features

Detect and mitigate CVE-2026-49455 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 1.0.0-beta.1

Fixed versions

  • 1.0.0-beta.1

Solution

Upgrade to version 1.0.0-beta.1 or above.

Impact 6.5 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-352: Cross-Site Request Forgery (CSRF)

Source file

npm/waku/CVE-2026-49455.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 09 Jul 2026 12:19:38 +0000.