CVE-2026-29792
Received Received - Intake
OAuth Callback Injection in Feathersjs Allows Unauthorized Access

Publication date: 2026-03-10

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the OAuth provider. This vulnerability is fixed in 5.0.42.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29792
EUVD
EUVD-2026-10824
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
feathersjs feathers From 5.0.0 (inc) to 5.0.42 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Feathersjs versions from 5.0.0 to before 5.0.42. An unauthenticated attacker can send a specially crafted GET request to the /oauth/:provider/callback endpoint with a forged profile included in the query string. Because the OAuth service's authentication payload falls back to using the raw request query when there is no session or state response from Grant, the attacker can bypass the normal OAuth authorization flow. This allows the attacker to obtain a valid access token for an existing user without ever contacting the OAuth provider.

Impact Analysis

The vulnerability allows an attacker to impersonate an existing user by obtaining a valid access token without proper authentication. This can lead to unauthorized access to user accounts and sensitive data, potentially compromising the security and integrity of applications using the affected Feathersjs versions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Feathersjs to version 5.0.42 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart