{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41213", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T02:51:52.975Z", "datePublished": "2026-04-23T18:33:42.365Z", "dateUpdated": "2026-04-25T01:23:58.715Z"}, "containers": {"cna": {"title": "@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1289", "lang": "en", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf"}], "affected": [{"vendor": "node-oauth", "product": "node-oauth2-server", "versions": [{"version": "< 5.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:33:42.365Z"}, "descriptions": [{"lang": "en", "value": "@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds."}], "source": {"advisory": "GHSA-jhm7-29pj-4xvf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:23:23.060024Z", "id": "CVE-2026-41213", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:23:58.715Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41213", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-25T01:23:23.060024Z"}}}], "references": [{"url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:23:53.346Z"}}], "cna": {"title": "@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes", "source": {"advisory": "GHSA-jhm7-29pj-4xvf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "node-oauth", "product": "node-oauth2-server", "versions": [{"status": "affected", "version": "< 5.3.0"}]}], "references": [{"url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf", "name": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1289", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:33:42.365Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41213", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:23:58.715Z", "dateReserved": "2026-04-18T02:51:52.975Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T18:33:42.365Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds."}], "id": "CVE-2026-41213", "lastModified": "2026-04-25T02:16:02.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T19:17:29.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/node-oauth/node-oauth2-server/security/advisories/GHSA-jhm7-29pj-4xvf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-1289"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "node-oauth2-server", "source": "cna", "vendor": "node-oauth"}, "product": "node-oauth2-server", "vendor": "node-oauth"}], "analysis": {"en": {"generated_at": "2026-04-28T07:32:20.187756+00:00", "value": {"mitigation_remediation": ["Upgrade node-oauth2-server to a version that enforces RFC7636 code_verifier validation.", "Use TLS everywhere to protect OAuth2 authorization codes from interception.", "Implement server\u2011side throttling or code invalidation after a set number of failed code_verifier attempts to mitigate brute\u2011force attacks."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Token Issuance"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the node-oauth:node-oauth2-server package, a Node.js library used to implement OAuth2 servers. All releases of the library are potentially susceptible until the issue is fixed, as no specific version range was provided by the CNA.", "description_and_impact": "In the node-oauth2-server library, a flaw in the token exchange process for S256 PKCE flows allows the server to accept code_verifier values that do not meet RFC7636 requirements, including one\u2011character strings. If an attacker captures an OAuth2 authorization code, they can repeatedly guess these weak or short code_verifier values online. Because the server does not invalidate the code after a failed attempt, the attacker can iterate many times until a correct verifier is supplied, resulting in the issuance of an access token that can be used to access protected resources. This weakness is a consequence of improper input validation (CWE\u20111289, CWE\u2011307).", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity, while the EPSS score of less than 1% suggests that known exploitation is low at present. The vulnerability is not yet listed as a known exploited vulnerability by CISA. The likely attack vector is online, requiring the interception of an authorization code over an insecure transport or a compromised network. Once the code is captured, the attacker can brute\u2011force the code_verifier through repeated API calls until the token endpoint issues a valid access token. This yields full access to the victim\u2019s scopes and can lead to unauthorized data disclosure or manipulation."}}}}, "created": "2026-04-28T07:45:26.025075+00:00", "updated": "2026-04-28T09:25:47.437619+00:00", "vendors": ["node-oauth", "node-oauth$PRODUCT$node-oauth2-server"]}