CVE-2026-41213 Overview
CVE-2026-41213 is an authentication bypass vulnerability in @node-oauth/oauth2-server, a module for implementing an OAuth2 server in Node.js. The vulnerability affects the token exchange path, which improperly accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. This improper validation allows attackers who have intercepted an authorization code to brute-force code_verifier guesses until token issuance succeeds, as failed verifier attempts do not consume the authorization code.
Critical Impact
Attackers can bypass PKCE protection by brute-forcing weak code verifiers, potentially gaining unauthorized access to OAuth2 tokens and protected resources.
Affected Products
- @node-oauth/oauth2-server (versions prior to patch)
- Node.js applications implementing OAuth2 with PKCE using vulnerable versions
- Services relying on S256 PKCE flows for authorization code exchange
Discovery Timeline
- 2026-04-23 - CVE CVE-2026-41213 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41213
Vulnerability Analysis
This vulnerability represents a critical flaw in the PKCE (Proof Key for Code Exchange) implementation within @node-oauth/oauth2-server. PKCE was designed as an extension to the OAuth2 authorization code flow to prevent authorization code interception attacks, particularly in public clients such as mobile and single-page applications.
RFC7636 specifies that a code_verifier must be a cryptographically random string between 43 and 128 characters in length. The vulnerable implementation fails to enforce this minimum length requirement, accepting verifiers as short as a single character. This dramatically reduces the entropy of the PKCE challenge, making brute-force attacks feasible.
The vulnerability is further exacerbated by the fact that failed verification attempts do not invalidate or consume the authorization code. This allows an attacker to make unlimited guesses against an intercepted authorization code without triggering any lockout mechanism.
Root Cause
The root cause is improper input validation (CWE-307: Improper Restriction of Excessive Authentication Attempts) in the token exchange handler. The implementation fails to validate that the code_verifier parameter meets RFC7636's minimum length requirements before processing the PKCE verification. Additionally, the authorization code is not consumed upon failed verification attempts, enabling unlimited brute-force attempts.
Attack Vector
The attack requires network access and the ability to intercept an authorization code, typically through a man-in-the-middle position or by exploiting redirect URI vulnerabilities. Once an authorization code is obtained, the attacker can repeatedly attempt token exchange requests with different code_verifier values.
The exploitation scenario involves:
- The attacker intercepts an authorization code during the OAuth2 flow
- The attacker sends token exchange requests with short/weak code_verifier values
- Since failed attempts don't consume the code, unlimited guesses are possible
- With minimal entropy requirements, brute-forcing becomes computationally feasible
- Upon successful verification, the attacker receives valid access tokens
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-41213
Indicators of Compromise
- Multiple token exchange requests using the same authorization code but different code_verifier values
- Token exchange requests with unusually short code_verifier parameters (less than 43 characters)
- Repeated failed token exchange attempts followed by a successful exchange from a different IP address
- Unusual patterns of authorization code usage from multiple sources
Detection Strategies
- Monitor OAuth2 token endpoints for repeated requests with identical authorization codes
- Implement alerting for code_verifier values that don't meet RFC7636 length requirements
- Log and analyze failed PKCE verification attempts for patterns indicative of brute-force attacks
- Track authorization code usage across different client IPs to detect interception attempts
Monitoring Recommendations
- Enable verbose logging on OAuth2 token exchange endpoints
- Set up rate limiting alerts for token exchange requests per authorization code
- Monitor for anomalous authorization code reuse patterns
- Implement real-time alerting for PKCE validation failures exceeding threshold
How to Mitigate CVE-2026-41213
Immediate Actions Required
- Update @node-oauth/oauth2-server to the latest patched version immediately
- Audit existing OAuth2 implementations for proper PKCE validation
- Implement rate limiting on token exchange endpoints to mitigate brute-force attempts
- Review logs for signs of exploitation attempts using the detection methods above
Patch Information
Security updates are available to address this vulnerability. Refer to the GitHub Security Advisory for specific version information and patching instructions. Organizations should prioritize updating their @node-oauth/oauth2-server dependency to include the fix that enforces RFC7636-compliant code_verifier validation and ensures authorization codes are consumed after failed verification attempts.
Workarounds
- Implement a middleware layer that validates code_verifier length (minimum 43 characters) before passing requests to the OAuth2 server
- Add rate limiting to the token exchange endpoint to slow down brute-force attempts
- Configure authorization codes to expire after a limited number of failed verification attempts
- Monitor and block IPs showing brute-force patterns against the token endpoint
- Consider implementing additional authorization code binding mechanisms until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
