Information disclosure in Nhost

CVE-2026-34969

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in…

Vulnerability class: Information Disclosure

EPSS: 0.001 (19.8th percentile) — read the EPSS interpretation.

Affected products

Nhost — versions < 0.48.0

Weakness classification (CWE)

References

https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r (x_refsource_CONFIRM)