Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
Feathers OAuth allows attackers to access authorized domains
CVE-2026-27192
GHSA-mp4x-c34x-wv3x
Summary
If you use Feathers OAuth, an attacker can create a malicious domain that tricks the system into giving them access to authorized domains. This could allow an attacker to steal sensitive information and take control of accounts. To fix this, update to the latest version of Feathers OAuth or configure the `origins` array to not use prefix matching.
What to do
- Update feathersjs authentication-oauth to version 5.0.40.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| feathersjs | authentication-oauth | <= 5.0.39 | 5.0.40 |
| feathersjs | feathers | <= 5.0.40 | – |
Original title
Feathers has an origin validation bypass via prefix matching
Original description
The origin validation uses `startsWith()` for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.
The `getAllowedOrigin()` function checks if the Referer header starts with any allowed origin:
```javascript
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L75
const allowedOrigin = origins.find((current) => referer.toLowerCase().startsWith(current.toLowerCase()));
```
This comparison is insufficient as it only validates the prefix. This is exploitable when the `origins` array is configured and an attacker registers a domain starting with an allowed origin string (e.g., `https://target.com.attacker.com` bypasses `https://target.com`).
On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover.
**Credits**: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.
The `getAllowedOrigin()` function checks if the Referer header starts with any allowed origin:
```javascript
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L75
const allowedOrigin = origins.find((current) => referer.toLowerCase().startsWith(current.toLowerCase()));
```
This comparison is insufficient as it only validates the prefix. This is exploitable when the `origins` array is configured and an attacker registers a domain starting with an allowed origin string (e.g., `https://target.com.attacker.com` bypasses `https://target.com`).
On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover.
**Credits**: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.
nvd CVSS3.1
8.1
nvd CVSS4.0
7.6
Vulnerability type
CWE-346
- https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x Third Party Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27192
- https://github.com/advisories/GHSA-mp4x-c34x-wv3x
- https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981... Patch
- https://github.com/feathersjs/feathers/releases/tag/v5.0.40 Product Release Notes
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026