CVE-2026-27971: Qwik patches unauthenticated RCE in server$ RPC deserialization (fix in 1.19.1)

What happened

The CVE record for CVE-2026-27971 was published describing a critical (CVSS 4.0 base score 9.2) unauthenticated remote code execution issue in Qwik caused by unsafe deserialization in the server$ RPC mechanism.

An unauthenticated attacker can trigger code execution on the server with a single HTTP request, with highest risk in deployments where require() is available at runtime.

Who is impacted

• Projects using the npm package @builder.io/qwik on versions <= 1.19.0.
• Any Qwik deployment exposing server$ RPC functionality, especially where runtime conditions allow require().

What to do now

• Upgrade @builder.io/qwik to 1.19.1 (the first patched version).
• Identify production services running Qwik and inventory versions (lockfiles, container images, and deployed artifacts).
• If compromise is suspected, follow standard incident response: review inbound request logs around server$ endpoints, and rotate credentials/secrets accessible to the impacted service.

Additional Information

• CVE: CVE-2026-27971
• CWE: CWE-502 (Deserialization of Untrusted Data)
• Affected versions: < 1.19.1 (explicitly noted as <= 1.19.0 in the description)
• Patched version: 1.19.1