DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29792: CVE-2026-29792: Unauthenticated Account Takeover via Improper Authentication in FeathersJS OAuth

#security #cve #cybersecurity

CVE-2026-29792: Unauthenticated Account Takeover via Improper Authentication in FeathersJS OAuth

Vulnerability ID: CVE-2026-29792
CVSS Score: 9.8
Published: 2026-03-10

FeathersJS versions prior to 5.0.42 contain a critical improper authentication vulnerability in the OAuth callback handler. An unauthenticated attacker can forge user profile data via URL query parameters, bypassing the standard OAuth flow to obtain a valid JSON Web Token (JWT) for any user account.

TL;DR

A fallback logic flaw in the FeathersJS OAuth module allows attackers to supply arbitrary identity data in query parameters during the callback phase. This results in complete, unauthenticated account takeover.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-287
  • Attack Vector: Network (Remote)
  • Authentication Required: None
  • CVSS v4.0: 9.3
  • Exploit Status: PoC Available
  • CISA KEV: No

Affected Systems

  • feathersjs framework
  • @feathersjs/authentication-oauth
  • @feathersjs/mongodb
  • @feathersjs/authentication-oauth: >= 5.0.0, < 5.0.42 (Fixed in: 5.0.42)
  • @feathersjs/mongodb: >= 5.0.0, < 5.0.42 (Fixed in: 5.0.42)

Code Analysis

Commit: d6b0b5c

Fix OAuth callback handling to prevent untrusted profile forging via params.query.

Commit: 163e664

Add explicit type validation for identifiers in MongoDB adapter to prevent NoSQL injection.

Mitigation Strategies

  • Upgrade @feathersjs/authentication-oauth and @feathersjs/mongodb to version 5.0.42 or higher.
  • Implement a pre-authentication hook to sanitize or reject requests containing profile objects in the URL query string.
  • Monitor access logs for direct hits to /oauth/*/callback containing suspicious query parameters.

Remediation Steps:

  1. Navigate to the project directory containing package.json.
  2. Execute npm install @feathersjs/authentication-oauth@^5.0.42 @feathersjs/mongodb@^5.0.42 or the equivalent command for yarn/pnpm.
  3. Verify the installed versions by checking npm list @feathersjs/authentication-oauth.
  4. Run the application's test suite to ensure no breaking changes affect authentication workflows.
  5. Deploy the updated application build to staging and production environments.

References

Read the full report for CVE-2026-29792 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)