CVE-2026-29792
Published: 10 March 2026
Summary
CVE-2026-29792 is a critical-severity Improper Authentication (CWE-287) vulnerability in Feathersjs Feathers. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in Feathersjs OAuth fallback chain by installing the 5.0.42 patch directly prevents attackers from forging query profiles to mint valid JWTs.
Validating and sanitizing raw query parameters in the OAuth callback endpoint rejects forged profiles before they trigger entity lookup and JWT minting.
Protecting authentication processes on publicly accessible web APIs prevents unauthenticated bypasses like direct crafted requests to OAuth callbacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote authentication bypass in a public-facing web API framework (OAuth callback endpoint), directly enabling exploitation of public-facing applications (T1190) to obtain valid user accounts (T1078) and application access tokens/JWTs (T1550.001) without credentials or prior interaction.
NVD Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string.…
more
The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the OAuth provider. This vulnerability is fixed in 5.0.42.
Deeper analysisAI
CVE-2026-29792 is a high-severity improper authentication vulnerability (CWE-287) in the Feathersjs framework, which is used for building web APIs and real-time applications with TypeScript or JavaScript. It affects versions from 5.0.0 up to but not including 5.0.42. The issue stems from the OAuth service's authentication payload fallback chain, which resorts to raw request query parameters (params.query) when Grant's session or state responses are absent. An unauthenticated attacker can exploit this by sending a crafted GET request directly to the /oauth/:provider/callback endpoint with a forged profile in the query string, bypassing the standard OAuth flow. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any unauthenticated remote attacker can exploit this vulnerability without prerequisites like user interaction or privileges. By crafting a request with a forged profile for an existing user, the attacker triggers entity lookup and JWT token minting, as Grant produces no session response without a prior authorize flow. This results in the attacker obtaining a valid access token for the targeted user account, enabling full compromise of confidentiality, integrity, and availability for that account.
The vulnerability was addressed in Feathersjs version 5.0.42. Security practitioners should upgrade to this version or later. Additional details are available in the official advisory at https://github.com/feathersjs/feathers/security/advisories/GHSA-wg9x-qfgw-pxhj.
Details
- CWE(s)