CVE-2026-27191 is an open redirect vulnerability classified under CWE-601 found in the feathersjs framework, a popular tool for building web APIs and real-time applications using JavaScript or TypeScript. In versions 5.0.39 and earlier, the framework improperly handles the redirect query parameter by appending it directly to the base origin URL without sufficient validation. Specifically, when the origins array is configured and origin values do not end with a trailing slash, an attacker can supply a redirect parameter containing an '@' symbol, such as '@attacker.com'. This causes the constructed URL to appear as https://target.com@attacker.com#access_token=..., where the browser interprets 'attacker.com' as the host rather than 'target.com'. Consequently, access tokens embedded in the URL fragment can be stolen by the attacker. This token theft enables full account takeover, as the attacker can impersonate the victim user. Exploitation requires user interaction (e.g., clicking a malicious link) but no prior authentication or privileges. The vulnerability has a CVSS 4.0 score of 7.4 (high severity), reflecting the significant impact on confidentiality and integrity, though exploitation complexity is high due to the need for user interaction and specific configuration conditions. The issue was addressed and fixed in feathersjs version 5.0.40.

This vulnerability poses a serious risk to organizations using vulnerable versions of feathersjs, especially those deploying web applications that rely on URL redirects for authentication flows or token handling. Attackers can craft malicious URLs that, when visited by users, result in the theft of access tokens, enabling full account takeover and impersonation. This compromises user confidentiality and integrity, potentially leading to unauthorized access to sensitive data, manipulation of user accounts, and further lateral movement within affected systems. The impact is amplified in environments where access tokens grant broad privileges or where multi-factor authentication is not enforced. Additionally, the vulnerability can undermine user trust and expose organizations to regulatory and reputational damage. Given the widespread use of feathersjs in modern web applications, the scope of affected systems is significant, particularly in sectors relying on real-time APIs and JavaScript-based frameworks.

Organizations should immediately upgrade all instances of feathersjs to version 5.0.40 or later, where this vulnerability is fixed. In addition to upgrading, developers should implement strict validation and sanitization of all redirect parameters, ensuring that user-supplied input cannot alter the URL authority or host component. Employing allowlists for redirect destinations and enforcing trailing slashes in origin configurations can prevent exploitation. Security teams should audit existing applications for usage of vulnerable versions and monitor logs for suspicious redirect patterns or unusual access token exposures. Implementing short-lived tokens and binding tokens to specific origins or client contexts can reduce the impact of token theft. User education on avoiding clicking suspicious links and deploying web application firewalls (WAFs) with rules to detect open redirect attempts can provide additional defense layers.