Medium severity5.9NVD Advisory· Published Apr 23, 2026· Updated Jun 2, 2026
CVE-2026-41213
CVE-2026-41213
Description
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@node-oauth/oauth2-servernpm | < 5.3.0 | 5.3.0 |
Affected products
2- cpe:2.3:a:node-oauth:node-oauth\/oauth2-server:*:*:*:*:*:node.js:*:*Range: <5.3.0
Patches
Vulnerability mechanics
References
3- github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvfnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-jhm7-29pj-4xvfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41213ghsaADVISORY
News mentions
0No linked articles in our index yet.