CVE-2026-34969

LOW SEVERITY

Vulnerability Description

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0.

Vulnerability Details

Published Date

April 01, 2026

Last Modified

April 07, 2026

CWE ID

CWE-200

Source

GitHub

Vendor

Product

github.com/nhost/nhost

External References

https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r
https://docs.nhost.io/products/auth/pkce
https://github.com/advisories/GHSA-g2qj-prgh-4g9r

CVE-2026-34969

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment