CVE-2026-29792

Name of the Vulnerable Software and Affected Versions Feathersjs versions 5.0.0 through 5.0.41

Description Feathersjs is a framework used for building web APIs and real-time applications. An unauthenticated attacker can exploit a flaw in the OAuth callback functionality by sending a specially crafted GET request to the /oauth/:provider/callback API endpoint. The vulnerability arises from a fallback mechanism in the OAuth service's authentication process, which relies on request query parameters (params.query) when Grant's session or state responses are empty. This allows an attacker to forge a profile within the query string and obtain a valid access token for an existing user without interacting with the OAuth provider. The vulnerability occurs because the attacker never initiates an OAuth authorize flow, resulting in an empty Grant session and triggering the fallback mechanism.

Recommendations Update Feathersjs to version 5.0.42 or later.