CVE-2026-41213 @node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the...

@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes

Summary The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can...

GHSA-JHM7-29PJ-4XVF @node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes

Summary The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code can...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the token endpoint. An attacker can obtain access tokens for users who have not authorized their application by exchanging intercepted authorization codes issued to other clients. Note: This is only exploitabl...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the token endpoint. An attacker can obtain access tokens for users who have not authorized their application by exchanging intercepted authorization codes issued to other clients. Note: This is only exploitabl...

PT-2024-1285 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 28.0.0 Description: The issue concerns the expiration of OAuth codes in Nextcloud Server, a self-hosted personal cloud system. In affected versions, OAuth codes did not expire, allowing an attacker who gains...

Multiple Vulnerabilities in the Magic Fly Broker App

Magic Fly Broker App is a mobile listing management software designed to help brokers increase orders. There are arbitrary user login and arbitrary password reset vulnerabilities in MagicFly Broker APP. Attackers can register any account and reset any password by capturing packets and interceptin...