CVE-2026-27978: Next.js: null origin can bypass Server Actions CSRF checks

March 17, 2026 (updated March 19, 2026)

origin: null was treated as a “missing” origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

References

github.com/advisories/GHSA-mq59-m269-xvcx
github.com/vercel/next.js
github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
github.com/vercel/next.js/releases/tag/v16.1.7
github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
nvd.nist.gov/vuln/detail/CVE-2026-27978

Code Behaviors & Features

Detect and mitigate CVE-2026-27978 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →