CVE-2026-41213EPSS p17.0%

CVE-2026-41213CVE-2026-41213

node-oauth / node-oauth\/oauth2-server

Description

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.

Scoring

CVSS 5.9 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS0.26% probability of exploitation · percentile 17.0% · 2026-06-18T12:00:27Z
Last modified2026-06-02

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-30967
CVE
CVE-2026-30863
CVE
CVE-2026-44351
CVE
CVE-2026-27804
CVE
CVE-2025-12816
CVE
CVE-2025-4144
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.