Auth bypass in @Feathersjs Authentication-oauth

CVE-2026-29792

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a…

Vulnerability class: Broken Authentication

EPSS: 0.001 (23.6th percentile) — read the EPSS interpretation.

Affected products

@Feathersjs Authentication-oauth — versions >= 5.0.0, < 5.0.42
Feathersjs Feathers — versions >= 5.0.0, < 5.0.42

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/feathersjs/feathers/security/advisories/GHSA-wg9x-qfgw-pxhj (x_refsource_CONFIRM)