Platform
nodejs
Component
@feathersjs/authentication-oauth
Fixed in
5.0.1
5.0.1
5.0.42
CVE-2026-29792 describes a critical authentication bypass vulnerability within the @feathersjs/authentication-oauth component of FeathersJS. This flaw allows an unauthenticated attacker to craft a malicious GET request and obtain a valid access token for an existing user without initiating a proper OAuth authorization flow. The vulnerability impacts versions prior to 5.0.42 and requires immediate attention to prevent unauthorized access and potential data breaches.
The impact of CVE-2026-29792 is severe. An attacker can leverage this vulnerability to impersonate legitimate users within the FeathersJS application. By forging the OAuth profile in the query string of a GET request to /oauth/:provider/callback, they bypass the authentication process and obtain a valid access token. This token grants them access to the affected user's data and functionality, potentially enabling them to perform actions on behalf of the user, including data modification, deletion, or exfiltration. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors.
CVE-2026-29792 was publicly disclosed on 2026-03-10. While no public proof-of-concept (PoC) has been released as of this writing, the vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation (EPSS score likely medium). It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation for CVE-2026-29792 is to upgrade the @feathersjs/authentication-oauth package to version 5.0.42 or later. This version includes a fix that prevents the fallback to the raw request query for authentication payload data. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to /oauth/:provider/callback with suspicious query parameters. Thoroughly review and restrict access to the OAuth callback endpoint, ensuring only trusted sources can initiate OAuth flows. After upgrading, confirm the fix by attempting to access the /oauth/:provider/callback endpoint with a forged profile in the query string; the request should be rejected.
Actualice Feathersjs a la versión 5.0.42 o superior. Esta versión corrige la vulnerabilidad de omisión de autenticación en el callback de OAuth. La actualización previene que atacantes no autenticados puedan obtener acceso no autorizado a cuentas de usuario.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29792 is a critical vulnerability in FeathersJS OAuth allowing unauthenticated attackers to forge profiles and obtain access tokens for existing users, impacting versions before 5.0.42.
You are affected if your FeathersJS application uses the @feathersjs/authentication-oauth package and is running a version prior to 5.0.42. Immediate action is required.
Upgrade the @feathersjs/authentication-oauth package to version 5.0.42 or later. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor security advisories and threat intelligence.
Refer to the official FeathersJS security advisories and release notes on their website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.