Cyber Resilience

CVE-2026-41213

MediumPublic PoCUpdated

Published: 23 April 2026

Published
23 April 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0016 36.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41213 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Node-Oauth Node-Oauth\/Oauth2-Server. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization…

more

code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Vulnerability enables online brute-force guessing of short code_verifier values against the token endpoint (CWE-307) without code consumption on failure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

node-oauth
node-oauth\/oauth2-server
≤ 5.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References