Fluid Attacks Database

Description

A CSRF check bypass flaw has been discovered in Next.js. The origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=16.0.1 <16.1.7	16.1.7
rpm rhel9	dotnet7.0	-	-

Aliases

1. CVE-2026-279782. NVD-2026-279783. OSV-2026-279784. GHSA-mq59-m269-xvcx5. GCVE-2026-27978

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx2. https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d83. https://github.com/vercel/next.js/releases/tag/v16.1.74. https://github.com/Nayekah/Next.js-Proof-of-Concept

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.