Web API Framework Vulnerability in Feathersjs Affects User Access Security
CVE-2026-27191

7.4HIGH

Key Information:

Vendor

Feathersjs

Status
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27191?

Feathersjs, a popular framework for building web APIs and real-time applications, has a vulnerability in its handling of user-supplied redirect URLs. In versions 5.0.39 and earlier, the framework allows the redirect query parameter to be appended to the base origin without sufficient validation. This flaw permits attackers to inject a malicious URL that alters the handling of access tokens, leading to potential account takeovers. By manipulating the redirect parameter, an attacker can exploit a misconfigured origins array and gain control over user accounts by intercepting access tokens. This critical issue has been addressed in version 5.0.40.

Affected Version(s)

feathers < 5.0.40

References

CVSS V4

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.