Feathers has an open redirect in OAuth callback enables account takeover
- Severity:
- High
Description
The redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim’s access token and can impersonate them.
Recommendation
Update the @feathersjs/authentication-oauth package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.0.39
- Patched version(s): 5.0.40
References
Related Issues
- Feathers has an OAuth Callback Account Takeover issue - CVE-2026-29792
- Feathers has an origin validation bypass via prefix matching - CVE-2026-27192
- Parse Server OAuth2 authentication adapter account takeover via identity spoofing - CVE-2026-30967
- Feathers exposes internal headers via unencrypted session cookie - CVE-2026-27193
- Tags:
- npm
- @feathersjs/authentication-oauth
Anything's wrong? Let us know Last updated on February 23, 2026