CVE-2026-27193— Feathers exposes internal headers via unencrypted session cookie
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-27193
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Feathers exposes internal headers via unencrypted session cookie
Source: NVD (National Vulnerability Database)
Vulnerability Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue has been fixed in version 5.0.40.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Feathers 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Feathers是Feathers开源的一个轻量级的 Web 框架。用于使用 TypeScript 或 JavaScript 创建 API 和实时应用程序。 Feathers 5.0.39及之前版本存在信息泄露漏洞,该漏洞源于所有HTTP请求标头都存储在会话cookie中,该cookie已签名但未加密,可能向客户端暴露内部代理或网关标头,导致敏感内部基础设施详细信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| feathersjs | feathers | < 5.0.40 | - |
II. Public POCs for CVE-2026-27193
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-27193
请登录查看更多情报信息。
Same Patch Batch · feathersjs · 2026-02-21 · 3 CVEs total
| CVE-2026-27191 | Feathers: Open Redirect in OAuth callback enables account takeover | |
| CVE-2026-27192 | Feathers has an origin validation bypass via prefix matching |
IV. Related Vulnerabilities
Same product: feathers
Same vendor: feathersjs
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2026-27193
No comments yet