{"id":"CVE-2026-27191","summary":"Feathers: Open Redirect in OAuth callback enables account takeover","details":"Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them. The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter. This is exploitable when the origins array is configured and origin values do not end with /. An attacker can supply @attacker.com as the redirect value results in https://target.com@attacker.com#access_token=..., where the browser interprets attacker.com as the host, leading to full account takeover. This issue has been fixed in version 5.0.40.","aliases":["GHSA-ppf9-4ffw-hh4p"],"modified":"2026-04-10T05:37:06.246671Z","published":"2026-02-21T03:23:28.340Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27191.json","cwe_ids":["CWE-601"]},"references":[{"type":"WEB","url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27191.json"},{"type":"ADVISORY","url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27191"},{"type":"FIX","url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/feathersjs/feathers","events":[{"introduced":"0"},{"fixed":"f71178917bf5d38f2591c412b0f6edc69f211ee8"}]}],"versions":["0.0.2","0.0.3","0.0.4","0.1.0","0.2.0","0.3.0","0.3.1","0.3.2","0.4.0","1.0.0","1.0.0-pre.1","1.0.0-pre.5","1.0.1","1.0.2","1.1.0-pre.0","@feathersjs/adapter-commons@1.0.0","@feathersjs/adapter-commons@1.0.1","@feathersjs/adapter-commons@1.0.2","@feathersjs/adapter-commons@1.0.3","@feathersjs/adapter-commons@1.0.4","@feathersjs/adapter-commons@1.0.5","@feathersjs/adapter-commons@1.0.6","@feathersjs/adapter-commons@1.0.7","@feathersjs/adapter-commons@2.0.0","@feathersjs/adapter-tests@1.0.0","@feathersjs/adapter-tests@1.0.1","@feathersjs/authentication-client@1.0.10","@feathersjs/authentication-client@1.0.11","@feathersjs/authentication-client@1.0.3","@feathersjs/authentication-client@1.0.4","@feathersjs/authentication-client@1.0.5","@feathersjs/authentication-client@1.0.6","@feathersjs/authentication-client@1.0.7","@feathersjs/authentication-client@1.0.8","@feathersjs/authentication-client@1.0.9","@feathersjs/authentication-jwt@2.0.10","@feathersjs/authentication-jwt@2.0.2","@feathersjs/authentication-jwt@2.0.3","@feathersjs/authentication-jwt@2.0.4","@feathersjs/authentication-jwt@2.0.5","@feathersjs/authentication-jwt@2.0.6","@feathersjs/authentication-jwt@2.0.7","@feathersjs/authentication-jwt@2.0.8","@feathersjs/authentication-jwt@2.0.9","@feathersjs/authentication-local@1.2.2","@feathersjs/authentication-local@1.2.3","@feathersjs/authentication-local@1.2.4","@feathersjs/authentication-local@1.2.5","@feathersjs/authentication-local@1.2.6","@feathersjs/authentication-local@1.2.7","@feathersjs/authentication-local@1.2.8","@feathersjs/authentication-local@1.2.9","@feathersjs/authentication-oauth1@1.0.10","@feathersjs/authentication-oauth1@1.0.4","@feathersjs/authentication-oauth1@1.0.5","@feathersjs/authentication-oauth1@1.0.6","@feathersjs/authentication-oauth1@1.0.7","@feathersjs/authentication-oauth1@1.0.8","@feathersjs/authentication-oauth1@1.0.9","@feathersjs/authentication-oauth1@1.1.0","@feathersjs/authentication-oauth1@1.1.1","@feathersjs/authentication-oauth2@1.2.1","@feathersjs/authentication-oauth2@1.2.2","@feathersjs/authentication-oauth2@1.2.3","@feathersjs/authentication-oauth2@1.2.4","@feathersjs/authentication-oauth2@1.2.5","@feathersjs/authentication-oauth2@1.2.6","@feathersjs/authentication-oauth2@1.2.7","@feathersjs/authentication-oauth2@1.3.0","@feathersjs/authentication-oauth2@1.3.1","@feathersjs/authentication@2.1.10","@feathersjs/authentication@2.1.11","@feathersjs/authentication@2.1.12","@feathersjs/authentication@2.1.13","@feathersjs/authentication@2.1.14","@feathersjs/authentication@2.1.15","@feathersjs/authentication@2.1.16","@feathersjs/authentication@2.1.8","@feathersjs/authentication@2.1.9","@feathersjs/cli@3.8.1","@feathersjs/cli@3.8.2","@feathersjs/cli@3.8.3","@feathersjs/cli@3.8.4","@feathersjs/cli@3.8.5","@feathersjs/cli@3.8.6","@feathersjs/cli@3.8.7","@feathersjs/client@3.7.2","@feathersjs/client@3.7.3","@feathersjs/client@3.7.4","@feathersjs/client@3.7.5","@feathersjs/client@3.7.6","@feathersjs/client@3.7.7","@feathersjs/client@3.7.8","@feathersjs/commons@3.0.0","@feathersjs/commons@3.0.1","@feathersjs/commons@4.0.0","@feathersjs/configuration@2.0.1","@feathersjs/configuration@2.0.2","@feathersjs/configuration@2.0.3","@feathersjs/configuration@2.0.4","@feathersjs/configuration@2.0.5","@feathersjs/configuration@2.0.6","@feathersjs/errors@3.3.1","@feathersjs/errors@3.3.2","@feathersjs/errors@3.3.3","@feathersjs/errors@3.3.4","@feathersjs/errors@3.3.5","@feathersjs/errors@3.3.6","@feathersjs/express@1.2.4","@feathersjs/express@1.2.5","@feathersjs/express@1.2.6","@feathersjs/express@1.2.7","@feathersjs/express@1.3.0","@feathersjs/express@1.3.1","@feathersjs/feathers@3.2.0","@feathersjs/feathers@3.2.1","@feathersjs/feathers@3.2.2","@feathersjs/feathers@3.2.3","@feathersjs/feathers@3.3.0","@feathersjs/feathers@3.3.1","@feathersjs/primus-client@1.1.1","@feathersjs/primus-client@1.1.2","@feathersjs/primus-client@1.1.3","@feathersjs/primus-client@1.1.4","@feathersjs/primus-client@1.1.5","@feathersjs/primus-client@1.1.6","@feathersjs/primus-client@1.1.7","@feathersjs/primus@3.2.2","@feathersjs/primus@3.2.3","@feathersjs/primus@3.2.4","@feathersjs/primus@3.2.5","@feathersjs/primus@3.2.6","@feathersjs/primus@3.2.7","@feathersjs/primus@3.2.8","@feathersjs/rest-client@1.4.2","@feathersjs/rest-client@1.4.3","@feathersjs/rest-client@1.4.4","@feathersjs/rest-client@1.4.5","@feathersjs/rest-client@1.4.6","@feathersjs/rest-client@1.4.7","@feathersjs/socketio-client@1.1.1","@feathersjs/socketio-client@1.1.2","@feathersjs/socketio-client@1.1.3","@feathersjs/socketio-client@1.1.4","@feathersjs/socketio-client@1.1.5","@feathersjs/socketio-client@1.2.0","@feathersjs/socketio-client@1.2.1","@feathersjs/socketio@3.2.3","@feathersjs/socketio@3.2.4","@feathersjs/socketio@3.2.5","@feathersjs/socketio@3.2.6","@feathersjs/socketio@3.2.7","@feathersjs/socketio@3.2.8","@feathersjs/socketio@3.2.9","@feathersjs/transport-commons@4.1.2","@feathersjs/transport-commons@4.1.3","@feathersjs/transport-commons@4.1.4","@feathersjs/transport-commons@4.1.5","@feathersjs/transport-commons@4.1.6","@feathersjs/transport-commons@4.2.0","@feathersjs/transport-commons@4.2.1","generator-feathers-plugin@1.0.1","generator-feathers@2.6.1","generator-feathers@2.6.2","generator-feathers@2.6.3","generator-feathers@2.6.4","generator-feathers@2.7.0","generator-feathers@2.7.1","generator-feathers@2.8.0","v1.1.0","v1.1.1","v1.2.0","v1.2.1","v2.0.0","v2.0.0-pre.1","v2.0.0-pre.2","v2.0.0-pre.3","v2.0.0-pre.4","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.6","v2.1.7","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.1.0","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.2.0-pre.1","v4.0.0-pre.0","v4.0.0-pre.1","v4.0.0-pre.2","v4.0.0-pre.3","v4.0.0-pre.4","v4.0.0-pre.5","v4.3.0","v4.3.0-pre.1","v4.3.0-pre.2","v4.3.0-pre.3","v4.3.0-pre.4","v4.3.1","v4.3.10","v4.3.11","v4.3.2","v4.3.3","v4.3.4","v4.3.5","v4.3.6","v4.3.7","v4.3.8","v4.3.9","v4.4.0","v4.4.1","v4.4.3","v4.5.0","v4.5.1","v4.5.2","v5.0.0","v5.0.0-beta.0","v5.0.0-beta.1","v5.0.0-pre.0","v5.0.0-pre.1","v5.0.0-pre.10","v5.0.0-pre.11","v5.0.0-pre.12","v5.0.0-pre.13","v5.0.0-pre.14","v5.0.0-pre.15","v5.0.0-pre.16","v5.0.0-pre.17","v5.0.0-pre.18","v5.0.0-pre.19","v5.0.0-pre.2","v5.0.0-pre.20","v5.0.0-pre.21","v5.0.0-pre.22","v5.0.0-pre.23","v5.0.0-pre.24","v5.0.0-pre.25","v5.0.0-pre.26","v5.0.0-pre.27","v5.0.0-pre.28","v5.0.0-pre.29","v5.0.0-pre.3","v5.0.0-pre.30","v5.0.0-pre.31","v5.0.0-pre.32","v5.0.0-pre.33","v5.0.0-pre.34","v5.0.0-pre.35","v5.0.0-pre.36","v5.0.0-pre.37","v5.0.0-pre.38","v5.0.0-pre.4","v5.0.0-pre.5","v5.0.0-pre.6","v5.0.0-pre.7","v5.0.0-pre.8","v5.0.0-pre.9","v5.0.1","v5.0.10","v5.0.11","v5.0.12","v5.0.13","v5.0.14","v5.0.15","v5.0.16","v5.0.17","v5.0.18","v5.0.19","v5.0.2","v5.0.20","v5.0.21","v5.0.22","v5.0.23","v5.0.24","v5.0.25","v5.0.26","v5.0.27","v5.0.28","v5.0.29","v5.0.3","v5.0.30","v5.0.31","v5.0.32","v5.0.33","v5.0.34","v5.0.35","v5.0.36","v5.0.37","v5.0.38","v5.0.39","v5.0.4","v5.0.5","v5.0.6","v5.0.7","v5.0.8","v5.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27191.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}