Cyber Resilience

CVE-2026-29792

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-29792 is a critical-severity Improper Authentication (CWE-287) vulnerability in Feathersjs Feathers. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-29792 is a high-severity improper authentication vulnerability (CWE-287) in the Feathersjs framework, which is used for building web APIs and real-time applications with TypeScript or JavaScript. It affects versions from 5.0.0 up to but not including 5.0.42. The issue stems from the OAuth service's authentication payload fallback chain, which resorts to raw request query parameters (params.query) when Grant's session or state responses are absent. An unauthenticated attacker can exploit this by sending a crafted GET request directly to the /oauth/:provider/callback endpoint with a forged profile in the query string, bypassing the standard OAuth flow. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated remote attacker can exploit this vulnerability without prerequisites like user interaction or privileges. By crafting a request with a forged profile for an existing user, the attacker triggers entity lookup and JWT token minting, as Grant produces no session response without a prior authorize flow. This results in the attacker obtaining a valid access token for the targeted user account, enabling full compromise of confidentiality, integrity, and availability for that account.

The vulnerability was addressed in Feathersjs version 5.0.42. Security practitioners should upgrade to this version or later. Additional details are available in the official advisory at https://github.com/feathersjs/feathers/security/advisories/GHSA-wg9x-qfgw-pxhj.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string.…

more

The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the OAuth provider. This vulnerability is fixed in 5.0.42.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

The CVE describes a remote authentication bypass in a public-facing web API framework (OAuth callback endpoint), directly enabling exploitation of public-facing applications (T1190) to obtain valid user accounts (T1078) and application access tokens/JWTs (T1550.001) without credentials or prior interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27192Same product: Feathersjs Feathers
CVE-2026-29793Same product: Feathersjs Feathers
CVE-2026-32246Shared CWE-287
CVE-2024-12919Shared CWE-287
CVE-2026-3655Shared CWE-287
CVE-2026-0953Shared CWE-287
CVE-2026-5722Shared CWE-287
CVE-2026-30949Shared CWE-287
CVE-2026-23906Shared CWE-287
CVE-2025-67822Shared CWE-287

Affected Assets

feathersjs
feathers
5.0.0 — 5.0.42

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in Feathersjs OAuth fallback chain by installing the 5.0.42 patch directly prevents attackers from forging query profiles to mint valid JWTs.

prevent

Validating and sanitizing raw query parameters in the OAuth callback endpoint rejects forged profiles before they trigger entity lookup and JWT minting.

prevent

Protecting authentication processes on publicly accessible web APIs prevents unauthenticated bypasses like direct crafted requests to OAuth callbacks.

References