Origin Validation Bypass in Feathersjs Framework by Feathersjs
CVE-2026-27192
7.6HIGH
What is CVE-2026-27192?
A vulnerability in the Feathersjs framework allows attackers to bypass origin validation by leveraging a prefix matching approach in the getAllowedOrigin() function. This method inadequately verifies the Referer header by only checking if it starts with an allowed origin. As a result, an attacker can register a malicious domain with a prefix matching an allowed origin (e.g., https://target.com.attacker.com against https://target.com) and exploit the OAuth flow from this unauthorized origin, leading to potential token exfiltration and full account takeover. This issue was effectively resolved in version 5.0.40, highlighting the importance of rigorous origin validation.
Affected Version(s)
feathers < 5.0.40
