CVE-2026-34969

| EUVD-2026-19358 LOW
2026-04-01 https://github.com/nhost/nhost GHSA-g2qj-prgh-4g9r
2.3
CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch Released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
EUVD ID Assigned
Apr 02, 2026 - 00:15 euvd
EUVD-2026-19358
CVE Published
Apr 01, 2026 - 23:36 nvd
LOW 2.3

Tags

Information Disclosure Apple Microsoft Google

Description

# Refresh Token Leaked via URL Query Parameter in OAuth Provider Callback ## Summary The auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. ## Affected Component - **Repository**: `github.com/nhost/nhost` - **Service**: `services/auth` - **File**: `services/auth/go/controller/sign_in_provider_callback_get.go` - **Function**: `signinProviderProviderCallback` (lines 257-261) ## Root Cause In `sign_in_provider_callback_get.go:257-261`, after successful OAuth sign-in, the refresh token is appended as a URL query parameter: ```go if session != nil { values := redirectTo.Query() values.Add("refreshToken", session.RefreshToken) redirectTo.RawQuery = values.Encode() } ``` This results in a redirect like: ``` HTTP/1.1 302 Found Location: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890 ``` ## Proof of Concept ### Step 1: Initiate OAuth login ``` GET /signin/provider/github?redirectTo=https://myapp.com/callback ``` ### Step 2: Complete OAuth flow with provider ### Step 3: Auth service redirects with token in URL ``` HTTP/1.1 302 Found Location: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-7890-abcd-ef1234567890 ``` ### Step 4: Token is now visible in owned infrastructure and services: **Browser History:** ``` # User's browser history now contains the refresh token ``` **HTTP Referer Header:** ``` # If the callback page loads ANY external resource (image, script, etc.): GET /resource.js HTTP/1.1 Host: cdn.example.com Referer: https://myapp.com/callback?refreshToken=a1b2c3d4-e5f6-... # Note: modern browsers default to strict-origin-when-cross-origin policy, # which strips query parameters from cross-origin Referer headers. # Additionally, the Referer is only sent to services integrated by the # application developer (analytics, CDNs, etc.), not arbitrary third parties. ``` **Server Access Logs:** ``` # Reverse proxy, CDN, or load balancer logs on owned infrastructure: 2026-03-08 12:00:00 GET /callback?refreshToken=a1b2c3d4-e5f6-... 200 ``` ### Step 5: Attacker uses stolen refresh token ```bash # Exchange stolen refresh token for new access token curl -X POST https://auth.nhost.run/v1/token \ -H 'Content-Type: application/json' \ -d '{"refreshToken": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}' # Note: refresh tokens are one-time use, so this only works if the # legitimate client has not already consumed the token and if the attacker has # compromised your infrastructure to get access to this information ``` ## Impact 1. **Session Hijacking**: Anyone who obtains the token before it is consumed by the legitimate client can generate new access tokens, though the refresh token is one-time use and cannot be reused after consumption. 2. **Leak Vectors**: URL query parameters are visible in owned infrastructure and integrated services: - Browser history (local access) - HTTP Referer headers (mitigated by modern browser default referrer policies; only sent to developer-integrated services) - Server access logs (owned infrastructure) - Proxy/CDN/WAF logs (owned infrastructure) 3. **Affects All OAuth Providers**: Every OAuth provider flow (GitHub, Google, Apple, etc.) goes through the same callback handler. ## Fix Implemented PKCE (Proof Key for Code Exchange) for the OAuth flow. With PKCE, the authorization code cannot be exchanged without the `code_verifier` that only the original client possesses, preventing token misuse even if the URL is logged. See: https://docs.nhost.io/products/auth/pkce/ ## Resources - OWASP: Session Management - Token Transport: "Session tokens should not be transported in the URL" - RFC 6749 Section 10.3: "Access tokens and refresh tokens MUST NOT be included in the redirect URI" - CWE-598: Use of GET Request Method With Sensitive Query Strings - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Analysis

Nhost auth service exposes OAuth refresh tokens in redirect URL query parameters, allowing access to browser history, server logs, and proxy logs on owned infrastructure. While refresh tokens are single-use and leak vectors are primarily confined to developer-controlled systems, the vulnerability violates RFC 6749 token transport requirements and enables session hijacking if logs are accessed before the token is legitimately consumed. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

12
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +12
POC: 0

Share

CVE-2026-34969 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy