Cyber Resilience

CVE-2026-27192

High

Published: 21 February 2026

Published
21 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 7.6 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27192 is a high-severity Origin Validation Error (CWE-346) vulnerability in Feathersjs Feathers. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27192 affects Feathersjs, a framework for building web APIs and real-time applications using TypeScript or JavaScript, specifically in versions 5.0.39 and earlier. The vulnerability stems from improper origin validation in the getAllowedOrigin() function, which uses the startsWith() method to compare the Referer header against a list of allowed origins. This prefix-based check is insufficient, as it permits bypasses when an attacker registers a domain that shares a common prefix with an allowed origin, such as https://target.com.attacker.com evading validation for https://target.com. The issue is tied to CWE-346 (Origin Validation Error) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any remote attacker without privileges can exploit this when the origins array is configured in the application. By controlling a malicious domain with a prefix-matching origin, the attacker can trick the validation into allowing requests from unauthorized sources. While tokens are typically redirected to a configured origin, attackers can initiate an OAuth flow from the malicious origin, exfiltrate authentication tokens, and achieve full account takeover in specific scenarios.

The vulnerability has been fixed in Feathersjs version 5.0.40, as detailed in the project's security advisory (GHSA-mp4x-c34x-wv3x), release notes, and the patching commit (ee19a0ae9bc2ebf23b1fe598a1f7361981b65401). Security practitioners should upgrade to version 5.0.40 or later and review configurations involving origin validation and OAuth flows.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common…

more

prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

CVE enables remote exploitation of public-facing web app (T1190) via origin bypass; directly facilitates theft of OAuth/application tokens (T1528) and subsequent use of stolen tokens for access (T1550.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29792Same product: Feathersjs Feathers
CVE-2026-29793Same product: Feathersjs Feathers
CVE-2026-23552Shared CWE-346
CVE-2025-7659Shared CWE-346
CVE-2026-6508Shared CWE-346
CVE-2025-1102Shared CWE-346
CVE-2025-21511Shared CWE-346
CVE-2026-22794Shared CWE-346
CVE-2024-8487Shared CWE-346
CVE-2026-41057Shared CWE-346

Affected Assets

feathersjs
feathers
≤ 5.0.40

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of Referer header inputs to block prefix-matching domain bypasses in origin checks.

prevent

Enforces access decisions based on properly validated origins, preventing unauthorized OAuth flow initiations from malicious domains.

prevent

Controls information flows from client origins to the application, mitigating unauthorized access via flawed prefix validation.

References