SCA: security update for @feathersjs/authentication-oauth (GHSA-mp4x-c34x-wv3x)

high Tenable Self-Hosted Container Security Plugin ID 437887

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript.
In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to
bypass the check by registering a domain that shares a common prefix with an allowed origin.The
getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this
comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is
configured and an attacker registers a domain starting with an allowed origin string (e.g.,
https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a
configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an
unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in
version 5.0.40. (CVE-2026-27192)

See Also

https://github.com/advisories/GHSA-mp4x-c34x-wv3x

Plugin Details

Severity: High

ID: 437887

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 2/20/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-27192

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.6

Threat Score: 4.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/19/2026

Vulnerability Publication Date: 2/19/2026

Reference Information

CVE: CVE-2026-27192

cwe: CWE-346