CVE-2026-27978 Overview
CVE-2026-27978 is a Cross-Site Request Forgery (CSRF) vulnerability in Next.js, the popular React framework for building full-stack web applications. The vulnerability exists in the Server Action CSRF validation mechanism, where requests with origin: null were incorrectly treated as having a "missing" origin rather than being properly validated as cross-origin requests. This flaw allows attackers to bypass origin verification when requests originate from opaque contexts such as sandboxed iframes.
Critical Impact
Attackers can induce victim browsers to submit Server Actions from sandboxed contexts, potentially executing state-changing actions with victim credentials, leading to unauthorized operations on behalf of authenticated users.
Affected Products
- Vercel Next.js versions 16.0.1 through 16.1.6
- Applications using Next.js Server Actions without additional CSRF protection
- Deployments that allow opaque origin contexts (sandboxed iframes)
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-27978 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-27978
Vulnerability Analysis
This CSRF vulnerability stems from improper handling of the origin: null header value in Next.js Server Action requests. The framework's CSRF protection mechanism was designed to validate the origin of incoming requests to prevent cross-site request forgery attacks. However, when the origin header was set to the literal string 'null' (which browsers send from privacy-sensitive contexts like sandboxed iframes), the validation logic incorrectly interpreted this as a missing origin value rather than an explicit cross-origin request indicator.
This misinterpretation allowed requests from sandboxed iframes and other opaque contexts to bypass the origin verification checks entirely. Since these contexts can still transmit credentials such as cookies, an attacker could craft a malicious page containing a sandboxed iframe that submits Server Action requests to a vulnerable Next.js application, executing actions with the victim's authenticated session.
Root Cause
The root cause lies in the conditional logic within the action-handler.ts file that processes the origin header. The original implementation used a condition that checked if originHeader !== 'null' before parsing the origin URL, effectively treating 'null' origins the same as completely absent origins. This design oversight failed to account for the security implications of opaque origin contexts, which are legitimate browser behaviors but require explicit handling in CSRF protection mechanisms.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability by:
- Creating a malicious webpage containing a sandboxed iframe
- Configuring the iframe to point to or interact with the target Next.js application
- Inducing the victim to visit the malicious page while authenticated to the target application
- The sandboxed iframe sends requests with origin: null headers
- The vulnerable Next.js application bypasses CSRF validation and processes the Server Action
- State-changing operations execute with the victim's credentials
// Security patch from action-handler.ts
// Source: https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
workStore.fetchCache = 'default-no-store'
const originHeader = req.headers['origin']
- const originDomain =
- typeof originHeader === 'string' && originHeader !== 'null'
- ? new URL(originHeader).host
+ const originHost =
+ typeof originHeader === 'string'
+ ? // 'null' is a valid origin e.g. from privacy-sensitive contexts like sandboxed iframes.
+ // However, these contexts can still send along credentials like cookies,
+ // so we need to check if they're allowed cross-origin requests.
+ originHeader === 'null'
+ ? 'null'
+ : new URL(originHeader).host
: undefined
const host = parseHostHeader(req.headers)
Detection Methods for CVE-2026-27978
Indicators of Compromise
- Unexpected Server Action requests originating from origin: null in application logs
- State changes or data modifications without corresponding legitimate user activity
- Unusual patterns of form submissions or API calls from sandboxed iframe contexts
- Authentication events followed by immediate sensitive operations from null origins
Detection Strategies
- Monitor HTTP request logs for Server Action endpoints receiving origin: null headers
- Implement application-level logging that captures origin headers for all Server Action requests
- Set up alerting for patterns of requests with null origins to sensitive endpoints
- Review web server access logs for unusual referrer patterns combined with null origins
Monitoring Recommendations
- Enable detailed request logging for all Next.js Server Action endpoints
- Configure SIEM rules to alert on origin: null requests to sensitive application functions
- Monitor for anomalous user session activity, particularly state-changing operations without corresponding UI interactions
- Track and baseline normal origin patterns to identify deviations
How to Mitigate CVE-2026-27978
Immediate Actions Required
- Upgrade Next.js to version 16.1.7 or later immediately
- Audit existing Server Actions for sensitive state-changing operations
- Implement additional CSRF token protection for critical Server Actions
- Review experimental.serverActions.allowedOrigins configuration to ensure 'null' is not inadvertently allowed
Patch Information
The vulnerability is fixed in Next.js version 16.1.7. The patch modifies the origin header handling logic to treat 'null' as an explicit origin value rather than a missing value. After the fix, requests with origin: null are properly enforced against host/origin checks unless 'null' is explicitly allowlisted in the experimental.serverActions.allowedOrigins configuration. For detailed information about the fix, refer to the GitHub Security Advisory GHSA-mq59-m269-xvcx and the Next.js v16.1.7 release.
Workarounds
- Add explicit CSRF tokens for all sensitive Server Actions as an additional protection layer
- Configure SameSite=Strict on sensitive authentication cookies to prevent cross-site cookie transmission
- Ensure 'null' is not included in serverActions.allowedOrigins unless intentionally required with additional protections
- Consider implementing server-side request validation that explicitly rejects null origin requests for sensitive operations
# Configuration example for next.config.js
# Ensure 'null' is NOT in allowedOrigins unless explicitly needed
# Example secure configuration:
# experimental: {
# serverActions: {
# allowedOrigins: ['your-domain.com', 'trusted-subdomain.your-domain.com']
# // Do NOT include 'null' unless you have additional CSRF protection
# }
# }
# After upgrading to 16.1.7, verify your Next.js version:
npm list next
# or
yarn list next
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
