CVE-2026-27192

Name of the Vulnerable Software and Affected Versions Feathersjs versions 5.0.39 and below

Description Feathersjs is a framework used for building web APIs and real-time applications. A flaw in origin validation, specifically using the startsWith() function for comparison, allows attackers to bypass origin checks. This bypass is possible by registering a domain that shares a common prefix with an allowed origin. The getAllowedOrigin() function inadequately validates the prefix of the Referer header against allowed origins. An attacker can initiate the OAuth flow from an unauthorized origin and potentially steal tokens, leading to full account takeover.

Recommendations Update to version 5.0.40 or later.