What is CVE-2026-41574?

CVE-2026-41574 is a critical-severity vulnerability in Nhost, classified under Improper Authentication. CVSS score: 9.8/10. Published 2026-05-08.

How severe is CVE-2026-41574?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Auth bypass in Nhost

CVE-2026-41574

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been…

Vulnerability class: Broken Authentication

EPSS: 0.000 (5.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Nhost — versions < 0.49.1
Nhost Nhost\/auth

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

security-advisories@github.com (Patch, x_refsource_MISC)
security-advisories@github.com (Exploit, Patch, x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC, Release Notes)
security-advisories@github.com (x_refsource_CONFIRM, Exploit, Patch, Vendor Advisory)

Frequently asked questions

What is CVE-2026-41574?: CVE-2026-41574 is a critical-severity vulnerability in Nhost, classified under Improper Authentication. CVSS score: 9.8/10. Published 2026-05-08.
How severe is CVE-2026-41574?: Critical severity. CVSS v3 base score is 9.8 out of 10.