CVE-2026-34200

UNKNOWN 0.0

Nhost CLI MCP Server: Missing Inbound Authentication on Explicitly Bound Network Port

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials. This vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected. This issue has been patched in version 1.41.0.

CWE	CWE-306 CWE-942
Vendor	nhost
Product	nhost
Published	Mar 31, 2026
Last Updated	Mar 31, 2026

Stay Ahead of the Next One

Get instant alerts for nhost nhost

Be the first to know when new unknown vulnerabilities affecting nhost nhost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

nhost / nhost

< 1.41.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2 github.com: https://github.com/nhost/nhost/pull/4060 github.com: https://github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9