CVE-2026-27191

Name of the Vulnerable Software and Affected Versions Feathersjs versions 5.0.39 and below

Description Feathersjs is a framework used for building web APIs and real-time applications. A flaw exists where the redirect query parameter is added to the base origin without proper validation. This allows attackers to steal access tokens through URL authority injection, potentially leading to full account takeover. The application builds the redirect URL by combining the base origin with a user-provided redirect parameter. This is exploitable when origins do not end with a forward slash (/). An attacker can provide a malicious redirect value, such as @attacker.com, resulting in a URL like https://target.com@attacker.com#access token=.... The browser then interprets attacker.com as the host, enabling the attacker to obtain the victim's access token and impersonate them.

Recommendations Update to version 5.0.40 or later.