CVE-2026-34969
Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
13th
Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0.
| CWE | CWE-200 CWE-598 |
| Vendor | nhost |
| Product | nhost |
| Published | Apr 6, 2026 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for nhost nhost
Be the first to know when new unknown vulnerabilities affecting nhost nhost are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
nhost / nhost
< 0.48.0