CVE-2026-27192 Overview
CVE-2026-27192 is an Authorization Bypass vulnerability in FeathersJS, a popular framework for creating web APIs and real-time applications with TypeScript or JavaScript. The vulnerability exists in the OAuth authentication module where origin validation uses an insecure startsWith() comparison method. This allows attackers to bypass origin checks by registering a domain that shares a common prefix with an allowed origin, potentially leading to full account takeover through OAuth token exfiltration.
Critical Impact
Attackers can bypass OAuth origin validation by registering malicious domains with matching prefixes (e.g., https://target.com.attacker.com bypasses https://target.com), enabling OAuth flow manipulation and potential account takeover through token theft.
Affected Products
- FeathersJS Feathers versions 5.0.39 and below
- Applications using @feathersjs/authentication-oauth package with configured origins array
- Node.js deployments utilizing FeathersJS OAuth authentication
Discovery Timeline
- 2026-02-21 - CVE CVE-2026-27192 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27192
Vulnerability Analysis
The vulnerability resides in the getAllowedOrigin() function within the @feathersjs/authentication-oauth package. When validating OAuth requests, the function checks if the HTTP Referer header starts with any configured allowed origin. This prefix-based comparison is fundamentally flawed because it fails to properly validate the complete origin, allowing domain suffix attacks.
The insecure validation occurs when an application configures an origins array for OAuth authentication. An attacker can exploit this by registering a domain that starts with an allowed origin string. For example, if https://target.com is configured as an allowed origin, an attacker could register https://target.com.attacker.com which would pass the startsWith() validation check.
While tokens are still redirected to a configured origin under normal circumstances, specific attack scenarios allow an attacker to initiate the OAuth flow from an unauthorized origin and exfiltrate authentication tokens, achieving full account takeover.
Root Cause
The root cause is improper origin validation using JavaScript's startsWith() method instead of proper URL origin comparison. The vulnerable code performs a case-insensitive prefix match on the Referer header against allowed origins, which fails to account for subdomain structures and URL parsing semantics. Proper origin validation requires parsing the full URL and comparing the complete origin (protocol + host + port) rather than just checking for a matching prefix.
Attack Vector
The attack requires network access and user interaction. An attacker must register a malicious domain that begins with an allowed origin (e.g., target.com.attacker.com to bypass target.com). When a victim initiates or is tricked into initiating an OAuth flow from the attacker-controlled domain, the origin validation is bypassed due to the prefix match. The attacker can then potentially intercept OAuth tokens during the authentication callback, leading to account takeover.
Vulnerable Code:
if (Array.isArray(origins)) {
const referer = params?.headers?.referer || origins[0]
const allowedOrigin = origins.find((current) => referer.toLowerCase().startsWith(current.toLowerCase()))
if (!allowedOrigin) {
throw new NotAuthenticated(`Referer "${referer}" is not allowed.`)
Source: GitHub Commit ee19a0ae9bc2ebf23b1fe598a1f7361981b65401
Fixed Code:
if (Array.isArray(origins)) {
const referer = params?.headers?.referer || origins[0]
// Parse the referer to get its origin for proper comparison
let refererOrigin: string
try {
refererOrigin = new URL(referer).origin
} catch {
throw new NotAuthenticated(`Invalid referer "${referer}".`)
}
// Compare full origins
const allowedOrigin = origins.find((current) => refererOrigin.toLowerCase() === current.toLowerCase())
if (!allowedOrigin) {
throw new NotAuthenticated(`Referer "${referer}" is not allowed.`)
Source: GitHub Commit ee19a0ae9bc2ebf23b1fe598a1f7361981b65401
Detection Methods for CVE-2026-27192
Indicators of Compromise
- OAuth authentication requests originating from domains that share prefixes with legitimate configured origins
- Unusual Referer headers containing allowed origin strings as prefixes followed by attacker-controlled domains
- Authentication tokens being requested from unexpected subdomains or lookalike domains
- User reports of unauthorized account access following OAuth login attempts
Detection Strategies
- Monitor web server logs for OAuth callback requests with suspicious Referer headers containing prefix-matched domains
- Implement alerting on OAuth flows originating from domains not in the explicit allowlist
- Review access logs for patterns where the Referer domain extends beyond configured allowed origins
- Deploy web application firewall rules to flag requests where Referer contains allowed origins as substrings
Monitoring Recommendations
- Enable verbose logging for the @feathersjs/authentication-oauth module to capture all origin validation decisions
- Set up real-time monitoring for failed authentication attempts with unusual Referer patterns
- Implement domain registration monitoring for lookalike domains targeting your OAuth-enabled applications
- Configure SIEM rules to correlate OAuth authentication events with unusual geographic or behavioral patterns
How to Mitigate CVE-2026-27192
Immediate Actions Required
- Upgrade FeathersJS to version 5.0.40 or later immediately
- Audit current OAuth origin configurations to identify potentially vulnerable deployments
- Review authentication logs for signs of exploitation attempts
- Consider temporarily restricting OAuth authentication to verified clients while patching
Patch Information
The vulnerability has been fixed in FeathersJS version 5.0.40. The patch modifies the origin validation logic to properly parse URLs using the URL constructor and compare full origins instead of using prefix matching. The fix ensures that https://target.com.attacker.com will no longer match against https://target.com because the parsed origins are fundamentally different.
For detailed patch information, see the GitHub Security Advisory GHSA-mp4x-c34x-wv3x and the official release notes for v5.0.40.
Workarounds
- If immediate upgrade is not possible, implement reverse proxy rules to validate Referer headers before they reach the application
- Temporarily disable OAuth authentication and use alternative authentication methods
- Add explicit domain validation at the application layer before OAuth processing
- Configure Content Security Policy headers to restrict framing and form submissions to known origins
# Update FeathersJS to patched version
npm update @feathersjs/feathers@5.0.40
npm update @feathersjs/authentication-oauth@5.0.40
# Verify installation
npm list @feathersjs/feathers
npm list @feathersjs/authentication-oauth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
