{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34969", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T19:38:31.616Z", "datePublished": "2026-04-06T16:01:10.174Z", "dateUpdated": "2026-04-07T16:00:25.296Z"}, "containers": {"cna": {"title": "Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-598", "lang": "en", "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r"}], "affected": [{"vendor": "nhost", "product": "nhost", "versions": [{"version": "< 0.48.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:01:10.174Z"}, "descriptions": [{"lang": "en", "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0."}], "source": {"advisory": "GHSA-g2qj-prgh-4g9r", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T15:47:19.923890Z", "id": "CVE-2026-34969", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T16:00:25.296Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34969", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T15:47:19.923890Z"}}}], "references": [{"url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:47:28.542Z"}}], "cna": {"title": "Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback", "source": {"advisory": "GHSA-g2qj-prgh-4g9r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "nhost", "product": "nhost", "versions": [{"status": "affected", "version": "< 0.48.0"}]}], "references": [{"url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r", "name": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-598", "description": "CWE-598: Use of GET Request Method With Sensitive Query Strings"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T16:01:10.174Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34969", "state": "PUBLISHED", "dateUpdated": "2026-04-07T16:00:25.296Z", "dateReserved": "2026-03-31T19:38:31.616Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T16:01:10.174Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nhost:nhost\\/auth:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC94EDA1-AB33-40FB-8D3C-FF131A157A14", "versionEndExcluding": "0.48.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0."}], "id": "CVE-2026-34969", "lastModified": "2026-04-22T20:16:14.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:38.457", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-598"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.48.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "nhost", "vendor": "nhost"}], "analysis": {"en": {"generated_at": "2026-04-06T19:38:29.262400+00:00", "value": {"mitigation_remediation": ["Upgrade Nhost to version 0.48.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality Breach via Refresh Token Leakage"}, "threat_synthesis": {"affected_systems": "Vendors: Nhost. Product: Nhost authentication service. Affected versions: any release before 0.48.0 that implements the OAuth provider callback flow. The vulnerability is resolved in version 0.48.0 and later.", "description_and_impact": "Nhost, an open source Firebase alternative, allows users to authenticate via OAuth providers. A flaw in the OAuth callback flow before version 0.48.0 places the refresh token directly into the redirect URL as a query parameter. Because URLs can be logged by browsers, servers, and network devices, the refresh token becomes exposed in browser history, server logs, HTTP referer headers, and proxy or CDN logs. This leakage could allow an attacker who gains access to any of those logs to harvest a one\u2011time use refresh token and then use it to obtain a new access token, thereby gaining unauthorized access to user accounts and protected resources, compromising confidentiality.", "risk_and_exploitability": "CVSS score is 2.3, indicating low overall severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The vulnerability can be exploited through the normal OAuth login process; an attacker only needs to observe server, CDN, or proxy logs to capture the leaked token. Because refresh tokens are one\u2011time use, the window of exploitation is narrow, but compromised tokens still enable access to user resources until invalidated. The risk is moderate for environments that retain logs and expose them to attackers or insiders."}}}}, "created": "2026-04-06T21:31:45.826946+00:00", "updated": "2026-04-07T09:39:17.136161+00:00", "vendors": ["nhost", "nhost$PRODUCT$nhost"]}