Description
An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service’s authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant’s session/state responses are empty.
Recommendation
Update the @feathersjs/authentication-oauth package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0, <= 5.0.41
- Patched version(s): 5.0.42
References
Related Issues
- Feathers has an open redirect in OAuth callback enables account takeover - CVE-2026-27191
- Feathers has an origin validation bypass via prefix matching - CVE-2026-27192
- Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248
- StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation - CVE-2026-32103
- Tags:
- npm
- @feathersjs/authentication-oauth
Anything's wrong? Let us know Last updated on March 10, 2026