Vulnerability DatabaseCVE-2026-34969
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-34969
Published:April 06, 2026
Updated:April 20, 2026
Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0.
Affected Packages
github.com/nhost/nhost (GO):
Affected version(s) >=v0.0.0-20241205151838-3b37af06a03d <v0.0.0-20260329113043-968b78a489ea
Fix Suggestion:
Update to version v0.0.0-20260329113043-968b78a489ea
Related Resources (4)
https://docs.nhost.io/products/auth/pkce
https://github.com/nhost/nhost
https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r
https://nvd.nist.gov/vuln/detail/CVE-2026-34969
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
Use of GET Request Method With Sensitive Query Strings
CWE-598
EPSS
Base Score:
0.06