CVE-2026-29792: CVE-2026-29792: Unauthenticated Account Takeover via Improper Authentication in FeathersJS OAuth
CVSS Score: 9.8 Published: 2026-03-10 Full Report: https://cvereports.com/reports/CVE-2026-29792
FeathersJS versions prior to 5.0.42 contain a critical improper authentication vulnerability in the OAuth callback handler. An unauthenticated attacker can forge user profile data via URL query parameters, bypassing the standard OAuth flow to obtain a valid JSON Web Token (JWT) for any user account.
A fallback logic flaw in the FeathersJS OAuth module allows attackers to supply arbitrary identity data in query parameters during the callback phase. This results in complete, unauthenticated account takeover.
- CWE ID: CWE-287
- Attack Vector: Network (Remote)
- Authentication Required: None
- CVSS v4.0: 9.3
- Exploit Status: PoC Available
- CISA KEV: No
- feathersjs framework
- @feathersjs/authentication-oauth
- @feathersjs/mongodb
- @feathersjs/authentication-oauth: >= 5.0.0, < 5.0.42 (Fixed in:
5.0.42) - @feathersjs/mongodb: >= 5.0.0, < 5.0.42 (Fixed in:
5.0.42)
- Upgrade @feathersjs/authentication-oauth and @feathersjs/mongodb to version 5.0.42 or higher.
- Implement a pre-authentication hook to sanitize or reject requests containing
profileobjects in the URL query string. - Monitor access logs for direct hits to
/oauth/*/callbackcontaining suspicious query parameters.
Remediation Steps:
- Navigate to the project directory containing package.json.
- Execute
npm install @feathersjs/authentication-oauth@^5.0.42 @feathersjs/mongodb@^5.0.42or the equivalent command for yarn/pnpm. - Verify the installed versions by checking
npm list @feathersjs/authentication-oauth. - Run the application's test suite to ensure no breaking changes affect authentication workflows.
- Deploy the updated application build to staging and production environments.
Generated by CVEReports - Automated Vulnerability Intelligence