CVE-2026-27193 HIGH

CVE-2026-27193: Feathers exposes internal headers via unencrypted session cookie

Vendor Feathersjs
Product feathers
Weakness CWE-200 · Info exposure
Published February 21, 2026
Last update February 25, 2026
View on NVD All CVEs

CVSS base score

8.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue has been fixed in version 5.0.40.

Key dates

02Disclosure timeline

February 21, 2026 CVE published
February 25, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-34005 moodle: authenticated LFI risk in some misconfigured shared hosting environments via modified mod_data backup CVE-2026-32865 OPEXUS eComplaint and eCase insecure password reset CVE-2023-6136 WordPress Debug Log Manager Plugin <= 2.3.0 is vulnerable to Sensitive Data Exposure CVE-2019-12708 Cisco SPA100 Series Analog Telephone Adapters Administrative Credentials Information Disclosure Vulnerability CVE-2025-30208 Vite bypasses server.fs.deny when using `?raw??`