Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.4
Feathers OAuth Setup Allows Attackers to Take Over Accounts
CVE-2026-27191
GHSA-ppf9-4ffw-hh4p
Summary
Feathers OAuth setup can be tricked into redirecting users to malicious sites, allowing attackers to steal access tokens and impersonate users. To fix this, update Feathers to the latest version and ensure the base origin in the configuration ends with a slash (/).
What to do
- Update feathersjs authentication-oauth to version 5.0.40.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| feathersjs | authentication-oauth | <= 5.0.39 | 5.0.40 |
| feathersjs | feathers | <= 5.0.40 | – |
Original title
Feathers has an open redirect in OAuth callback enables account takeover
Original description
### Description
The `redirect` query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them.
The application constructs the final redirect URL by concatenating the base origin with the user-supplied `redirect` parameter:
```javascript
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4
const { redirect } = query;
...
session.redirect = redirect;
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L98
const redirectUrl = `${redirect}${queryRedirect}`;
```
Where:
- `redirect` = base origin from config (e.g., `https://target.com`)
- `queryRedirect` = user input from `?redirect=` parameter
This is exploitable when the `origins` array is configured and origin values do not end with `/`. An attacker can supply `@attacker.com` as the redirect value results in `https://[email protected]#access_token=...`, where the browser interprets `attacker.com` as the host, leading to full account takeover.
**Credits**: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.
The `redirect` query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them.
The application constructs the final redirect URL by concatenating the base origin with the user-supplied `redirect` parameter:
```javascript
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4
const { redirect } = query;
...
session.redirect = redirect;
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L98
const redirectUrl = `${redirect}${queryRedirect}`;
```
Where:
- `redirect` = base origin from config (e.g., `https://target.com`)
- `queryRedirect` = user input from `?redirect=` parameter
This is exploitable when the `origins` array is configured and origin values do not end with `/`. An attacker can supply `@attacker.com` as the redirect value results in `https://[email protected]#access_token=...`, where the browser interprets `attacker.com` as the host, leading to full account takeover.
**Credits**: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.
nvd CVSS3.1
6.1
nvd CVSS4.0
7.4
Vulnerability type
CWE-601
Open Redirect
- https://nvd.nist.gov/vuln/detail/CVE-2026-27191
- https://github.com/advisories/GHSA-ppf9-4ffw-hh4p
- https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981... Patch
- https://github.com/feathersjs/feathers/releases/tag/v5.0.40 Product Release Notes
- https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p Third Party Advisory
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026