Skip to main content

Nhost CVE-2026-41574

| EUVDEUVD-2026-28650 CRITICAL
Improper Authentication (CWE-287)
2026-05-08 security-advisories@github.com GHSA-6g38-8j4p-j3pr
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 08, 2026 - 16:18 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:16 vuln.today
Analysis Generated
May 08, 2026 - 16:16 vuln.today
CVE Published
May 08, 2026 - 15:16 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session. This issue has been patched in version 0.49.1.

AnalysisAI

Authentication bypass in Nhost (open-source Firebase alternative) allows account takeover via OAuth email verification bypass. Attackers can claim a victim's email address on vulnerable OAuth providers (Discord, Bitbucket, AzureAD, EntraID) without verification, then authenticate to Nhost and receive a full session merged into the victim's existing account. The flaw affects multiple OAuth provider adapters that incorrectly populate the EmailVerified field - Discord silently drops the API's verified flag, Bitbucket accepts unconfirmed emails as verified, and Microsoft providers derive emails from non-ownership-proving fields like user principal names. Patched in version 0.49.1 per GitHub Security Advisory GHSA-6g38-8j4p-j3pr. No public exploit identified at time of analysis, but attack is trivially executable given the detailed technical disclosure.

Technical ContextAI

Nhost is a GraphQL-based backend-as-a-service platform written in Go that implements OAuth 2.0 and OpenID Connect (OIDC) authentication flows. The vulnerability exists in the OAuth identity linking logic within services/auth/go/controller/sign_in_id_token.go. When a user authenticates via an OAuth provider, Nhost's providerFlowSignIn() function automatically merges the OAuth identity with an existing Nhost account if the email addresses match. This design assumes the OAuth provider has verified email ownership and correctly communicates that status via a profile.EmailVerified boolean. However, the provider adapters in providers/ directory (discord.go, bitbucket.go, azure_ad.go, entra_id.go) fail to properly map the verification status from upstream APIs. Discord's adapter ignores the verified field returned by Discord's /users/@me endpoint. Bitbucket's adapter defaults to marking emails as verified despite Bitbucket not guaranteeing ownership. Microsoft providers extract emails from user principal names (UPNs) or other non-verified claims, then incorrectly mark them verified. The root cause is classified as CWE-287 (Improper Authentication) - specifically, insufficient verification of authentication factors during account linking. The fix in commit ec8dab3f2cf4 introduces an ensureProviderLinkAllowed() guard that rejects Unknown and Unverified email statuses, only permitting explicit Verified signals before merging identities.

RemediationAI

Upgrade Nhost authentication service to version 0.49.1 or later immediately. For self-hosted deployments, pull the patched container image or rebuild from source using commit ec8dab3f2cf4 or later from the main branch. Verify the fix by checking that services/auth/go/controller/sign_in_id_token.go contains the new ensureProviderLinkAllowed() function that rejects email verification statuses other than explicitly Verified. For Nhost Cloud users, confirm with Nhost support that your deployment has been upgraded to 0.49.1. If immediate patching is not feasible, implement compensating controls: disable OAuth provider integrations for Discord, Bitbucket, AzureAD, and EntraID in your Nhost configuration until patched (this will break OAuth login flows for legitimate users, so plan user communication accordingly). Audit authentication logs for suspicious OAuth sign-ins where a new provider was linked to an existing account within the vulnerability window - look for InsertUserProvider events where the email address does not match the provider's typical domain patterns (e.g., a Gmail address linked via AzureAD). Consider forcing password resets for high-value accounts if suspicious activity is detected. Review and tighten email verification requirements in your application's user onboarding flow as an additional defense layer. The patch introduces no breaking changes to legitimate OAuth workflows, only rejecting unverified email linkages that should never have been allowed.

Share

CVE-2026-41574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy