Medium severity5.9NVD Advisory· Published Apr 23, 2026· Updated Apr 25, 2026

CVE-2026-41213

Description

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@node-oauth/oauth2-servernpm	< 5.3.0	5.3.0

Affected products

Node Oauth/Node Oauth2 Serverinferred

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-jhm7-29pj-4xvfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41213ghsaADVISORY
github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvfnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000