Bug 2428414 (CVE-2026-22030)

Summary: CVE-2026-22030 react-router: React Router CSRF in Action/Server Action Request Processing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abokovoy, abrianik, adudiak, alcohan, alizardo, anjoseph, anpicker, anthomas, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, boliveir, bparees, brasmith, brian.stansberry, carogers, caswilli, cmah, cochase, darran.lofthouse, dbosanac, dhanak, dnakabaa, doconnor, dosoudil, dranck, drosa, dymurray, eaguilar, ebaron, ehelms, erezende, eric.wittmann, fdeutsch, fjuma, frenaud, ftrivino, ggainey, ggrzybek, gmalinko, gparvin, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jcammara, jcantril, jchui, jfula, jhe, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, joehler, jolong, jowilson, jprabhak, jreimann, jrokos, juwatts, kaycoth, kegrant, koliveir, kshier, ktsao, kverlaen, lball, lcouzens, lphiri, mabashia, manissin, mdessi, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mskarbek, msvehla, mwringe, nboldt, ngough, nipatil, nmoumoul, nwallace, nyancey, ometelka, oramraz, osousa, owatkins, pahickey, pantinor, parichar, pberan, pbizzarr, pbohmill, pbraun, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sdoran, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, sseago, ssilvert, stcannon, sthorger, stirabos, syedriko, tasato, teagle, tfister, thason, thavo, tmalecek, tom.jenkinson, veshanka, vmuzikar, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A cross site request forgery flaw has been discovered in the npm react-router package. React Router is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2428763    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-10 04:01:39 UTC 
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.