CVE•Published 2026-04-23•Modified 2026-06-02•0 articles on news•7 live references•NVD data

CVE-2026-41213Node-oauth · Node-oauth\/oauth2-server

Vulnerability data via NVD (ingested)

CVSS v3.1

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS percentile

Exploit Prediction Scoring System · top 83% of all CVEs

Weaknesses (CWE)

CWE-307Improper Restriction of Excessive Authentication Attempts CWE-1289Improper Validation of Unsafe Equivalence in Input

Description

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.

Timeline

Published 2026-04-23

Modified 2026-06-02

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-41213

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Node-oauth Node-oauth\/oauth2-server"

All exposed Node-oauth Node-oauth\/oauth2-server instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Node-oauth\/oauth2-server"

HTTP body or banner mentions "Node-oauth\/oauth2-server" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-41213