Feathersjs has an OAuth Callback Account Takeover
Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the OAuth provider. This vulnerability is fixed in 5.0.42.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can forge an OAuth profile in a direct callback request to gain a valid JWT for any existing user, bypassing the OAuth provider entirely.
Vulnerability
Overview
CVE-2026-29792 is an authentication bypass vulnerability in Feathersjs versions 5.0.0 through 5.0.41. The OAuth service's authentication payload contains a fallback chain that, when Grant's session/state responses are empty, reaches params.query — the raw request query string. An attacker who never initiates an OAuth authorize flow can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. Since Grant has no session to work with, it produces no response, causing the fallback to fire and use the attacker-supplied profile [1][3].
Exploitation
No authentication is required. The attacker only needs network access to the target Feathersjs application. By crafting a GET request to the OAuth callback endpoint with a query string containing a forged profile (e.g., ?profile=%7B%22id%22%3A%22...%22%7D), the fallback logic processes this fake profile as if it came from a legitimate OAuth provider. The forged profile then drives entity lookup and JWT minting [1][3].
Impact
Successful exploitation yields a valid access token for an existing user without ever contacting the OAuth provider. This effectively allows an unauthenticated attacker to impersonate any user whose identifier can be guessed or enumerated, leading to full account takeover. The CVSS 4.0 score is 9.8 (Critical) [1][3].
Mitigation
The vulnerability is fixed in Feathersjs version 5.0.42. Users running versions 5.0.0 through 5.0.41 should upgrade immediately. No workarounds have been published [1][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@feathersjs/authentication-oauthnpm | >= 5.0.0, < 5.0.42 | 5.0.42 |
Affected products
3- Range: >=5.0.0, <5.0.42
- @feathersjs/authentication-oauthv5Range: >= 5.0.0, < 5.0.42
- feathersjs/feathersv5Range: >= 5.0.0, < 5.0.42
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wg9x-qfgw-pxhjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29792ghsaADVISORY
- github.com/feathersjs/feathers/security/advisories/GHSA-wg9x-qfgw-pxhjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.