Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
RedwoodSDK: GET requests can bypass intended HTTP method
CVE-2026-39371
GHSA-x8rx-789c-2pxq
Summary
A bug in RedwoodSDK allowed attackers to use GET requests to perform actions intended for other HTTP methods. This could have allowed unauthorized changes to a website's state. Update to version 1.0.6 or later to fix the issue.
What to do
- Update GitHub Actions rwsdk to version 1.0.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| GitHub Actions | rwsdk | > 1.0.0-beta.50 , <= 1.0.5 | 1.0.6 |
Original title
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Original description
**Summary**
Server functions exported from `"use server"` files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send `SameSite=Lax` cookies on top-level GET requests.
This affected all server functions -- both `serverAction()` handlers and bare exported functions in `"use server"` files.
**Impact**
An attacker could construct a URL containing a known action ID and JSON-encoded arguments. When a victim with an active session visited or was redirected to this URL, the function executed with the victim's credentials. This affected any server function that performs state-changing operations (writes, deletes, mutations) in applications using cookie-based authentication.
**Remediation**
Update to rwsdk `1.0.6`. No application code changes are required.
The fix enforces the declared HTTP method at dispatch time. GET requests to server functions that require POST now return `405 Method Not Allowed`.
Server functions exported from `"use server"` files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send `SameSite=Lax` cookies on top-level GET requests.
This affected all server functions -- both `serverAction()` handlers and bare exported functions in `"use server"` files.
**Impact**
An attacker could construct a URL containing a known action ID and JSON-encoded arguments. When a victim with an active session visited or was redirected to this URL, the function executed with the victim's credentials. This affected any server function that performs state-changing operations (writes, deletes, mutations) in applications using cookie-based authentication.
**Remediation**
Update to rwsdk `1.0.6`. No application code changes are required.
The fix enforces the declared HTTP method at dispatch time. GET requests to server functions that require POST now return `405 Method Not Allowed`.
nvd CVSS3.1
8.1
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026