CVE-2026-41213

Name of the Vulnerable Software and Affected Versions @node-oauth/oauth2-server (affected versions not specified)

Description The token exchange path accepts invalid code verifier values, including one-character strings, for S256 PKCE (Proof Key for Code Exchange) flows, which contradicts RFC7636. Since short or weak verifiers are permitted and failed attempts do not invalidate the authorization code, an attacker who intercepts an authorization code can perform an online brute-force attack on code verifier guesses to obtain a token.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.