Origin Validation Bypass in Feathersjs Framework by Feathersjs
CVE-2026-27192

7.6HIGH

Key Information:

Vendor

Feathersjs

Status
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27192?

A vulnerability in the Feathersjs framework allows attackers to bypass origin validation by leveraging a prefix matching approach in the getAllowedOrigin() function. This method inadequately verifies the Referer header by only checking if it starts with an allowed origin. As a result, an attacker can register a malicious domain with a prefix matching an allowed origin (e.g., https://target.com.attacker.com against https://target.com) and exploit the OAuth flow from this unauthorized origin, leading to potential token exfiltration and full account takeover. This issue was effectively resolved in version 5.0.40, highlighting the importance of rigorous origin validation.

Affected Version(s)

feathers < 5.0.40

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.