Feathersjs is a popular framework for building web APIs and real-time applications using JavaScript or TypeScript. Between versions 5.0.0 and before 5.0.42, it contains a critical improper authentication vulnerability (CWE-287) identified as CVE-2026-29792. The flaw arises in the OAuth authentication flow, specifically in the /oauth/:provider/callback endpoint. Normally, OAuth authentication involves a multi-step process where the client initiates an authorization request, the OAuth provider authenticates the user, and then redirects back with a valid authorization code or token. However, in the vulnerable versions, if an attacker sends a crafted GET request directly to the callback endpoint with a forged user profile embedded in the query string, the OAuth service's authentication payload falls back to using params.query when the Grant library's session or state responses are empty. Since the attacker never initiated an OAuth authorization flow, no session exists, causing Grant to produce no response and triggering the fallback. This fallback allows the attacker-supplied forged profile to be used for entity lookup and JWT token minting. Consequently, the attacker obtains a valid access token for an existing user without any interaction with the legitimate OAuth provider, effectively bypassing authentication controls. This vulnerability enables unauthorized access to user accounts and any resources protected by the compromised tokens. The issue was addressed and fixed in Feathersjs version 5.0.42. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. No public exploits have been reported yet, but the critical severity and ease of exploitation make this a high-risk vulnerability for affected deployments.

The impact of CVE-2026-29792 is severe for organizations using vulnerable versions of Feathersjs in their web APIs or real-time applications. Attackers can impersonate any existing user without needing credentials or interaction with the legitimate OAuth provider, leading to unauthorized access to sensitive data and functionality. This can result in data breaches, privilege escalation, and compromise of application integrity. Since JWT tokens minted by the attacker are valid, they can bypass normal authentication and authorization checks, potentially accessing confidential user information, modifying data, or performing actions on behalf of the victim user. The vulnerability affects all deployments using the affected Feathersjs versions with OAuth authentication enabled, which may include startups, SaaS providers, and enterprises relying on this framework. The ease of exploitation over the network without authentication or user interaction increases the risk of automated attacks and widespread compromise. Organizations may face regulatory, reputational, and operational consequences if exploited.

To mitigate this vulnerability, organizations should immediately upgrade Feathersjs to version 5.0.42 or later, where the issue is fixed. If upgrading is not immediately possible, implement strict input validation and sanitization on the /oauth/:provider/callback endpoint to reject any requests containing forged or unexpected query parameters. Disable or restrict direct access to the OAuth callback endpoint from untrusted sources. Review and harden the OAuth integration to ensure that the authentication flow strictly requires valid session or state parameters before minting tokens. Employ additional monitoring and anomaly detection on OAuth callback requests to identify suspicious patterns indicative of exploitation attempts. Consider implementing multi-factor authentication (MFA) to reduce the impact of compromised tokens. Finally, audit logs for any unauthorized access and revoke any suspicious tokens issued prior to patching.