Vulnerability Details CVE-2026-41213
@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid code_verifier values (including one-character strings) for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can brute-force code_verifier guesses online until token issuance succeeds.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 36.7%
CVSS Severity
CVSS v3 Score 5.9
References
Products affected by CVE-2026-41213
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.0.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.1.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.1.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.2.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.2.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.2.2
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.2.3
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.2.4
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.2.5
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.3.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.3.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.3.2
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.4.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.4.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.5.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.5.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:1.5.2
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:2.0.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:2.2.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:2.2.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:2.2.2
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:2.3.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:2.4.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:2.4.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:3.0.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:3.0.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:3.0.2
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:3.1.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:3.1.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.0.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.1.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.1.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.2.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.3.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.3.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.3.2
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:4.3.3
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:5.0.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:5.1.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:5.2.0
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:5.2.1
-
cpe:2.3:a:node-oauth:node-oauth/oauth2-server:5.2.2