Cross-Origin Request Vulnerability in Nhost CLI MCP Server
CVE-2026-34200

7.7HIGH

Key Information:

Vendor

Nhost

Status
Nhost
Vendor
CVE Published:
31 March 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-34200?

The Nhost CLI MCP server, when improperly configured to listen on a network port prior to version 1.41.0, lacks inbound authentication and does not enforce strict CORS policies. This misconfiguration permits malicious websites on the same machine to execute cross-origin requests to the MCP server, potentially allowing attackers to access privileged tools using the developer's local credentials. Mitigation is achieved by upgrading to version 1.41.0, which includes the necessary security measures.

Affected Version(s)

nhost < 1.41.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-34200
Created by skoveit

References

https://github.com/nhost/nhost/security/advisories/GHSA-6...
x_refsource_CONFIRM
https://github.com/nhost/nhost/pull/4060
x_refsource_MISC
https://github.com/nhost/nhost/commit/15eae9285f9dce63e18...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability Reserved

.