Web API Framework Vulnerability in Feathersjs Affects User Access Security
CVE-2026-27191
7.4HIGH
What is CVE-2026-27191?
Feathersjs, a popular framework for building web APIs and real-time applications, has a vulnerability in its handling of user-supplied redirect URLs. In versions 5.0.39 and earlier, the framework allows the redirect query parameter to be appended to the base origin without sufficient validation. This flaw permits attackers to inject a malicious URL that alters the handling of access tokens, leading to potential account takeovers. By manipulating the redirect parameter, an attacker can exploit a misconfigured origins array and gain control over user accounts by intercepting access tokens. This critical issue has been addressed in version 5.0.40.
Affected Version(s)
feathers < 5.0.40
