OAuth Provider Callback Flow Vulnerability in Nhost by Nhost
CVE-2026-34969

2.3LOW

Key Information:

Vendor: Nhost
Status: Nhost
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34969?

In Nhost, an open-source Firebase alternative, a vulnerability in the OAuth provider callback flow exposes refresh tokens as query parameters in redirect URLs prior to version 0.48.0. This design flaw can lead to serious security breaches, as refresh tokens can be captured in browser history, server access logs, and other integrated services. Each refresh token is one-time use, but the potential for leakage remains high, particularly within systems managed by application developers. Users of affected versions should upgrade to 0.48.0 or later to mitigate risks.

Affected Version(s)

nhost < 0.48.0

References

https://github.com/nhost/nhost/security/advisories/GHSA-g...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 31, 2026

CVE-2026-34969 Data

JSON