CVE-2026-27192
Published: 21 February 2026
Summary
CVE-2026-27192 is a high-severity Origin Validation Error (CWE-346) vulnerability in Feathersjs Feathers. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of Referer header inputs to block prefix-matching domain bypasses in origin checks.
Enforces access decisions based on properly validated origins, preventing unauthorized OAuth flow initiations from malicious domains.
Controls information flows from client origins to the application, mitigating unauthorized access via flawed prefix validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing web app (T1190) via origin bypass; directly facilitates theft of OAuth/application tokens (T1528) and subsequent use of stolen tokens for access (T1550.001).
NVD Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common…
more
prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.
Deeper analysisAI
CVE-2026-27192 affects Feathersjs, a framework for building web APIs and real-time applications using TypeScript or JavaScript, specifically in versions 5.0.39 and earlier. The vulnerability stems from improper origin validation in the getAllowedOrigin() function, which uses the startsWith() method to compare the Referer header against a list of allowed origins. This prefix-based check is insufficient, as it permits bypasses when an attacker registers a domain that shares a common prefix with an allowed origin, such as https://target.com.attacker.com evading validation for https://target.com. The issue is tied to CWE-346 (Origin Validation Error) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any remote attacker without privileges can exploit this when the origins array is configured in the application. By controlling a malicious domain with a prefix-matching origin, the attacker can trick the validation into allowing requests from unauthorized sources. While tokens are typically redirected to a configured origin, attackers can initiate an OAuth flow from the malicious origin, exfiltrate authentication tokens, and achieve full account takeover in specific scenarios.
The vulnerability has been fixed in Feathersjs version 5.0.40, as detailed in the project's security advisory (GHSA-mp4x-c34x-wv3x), release notes, and the patching commit (ee19a0ae9bc2ebf23b1fe598a1f7361981b65401). Security practitioners should upgrade to version 5.0.40 or later and review configurations involving origin validation and OAuth flows.
Details
- CWE(s)