CVE-2026-34969 LOW

CVE-2026-34969: Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback

Vendor Nhost

Product nhost

Weakness CWE-200 · Info exposure

Published April 6, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

2.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0.

Key dates

02Disclosure timeline

April 6, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34969

Related vulnerabilities

CVE-2026-34969: Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback

01Description

02Disclosure timeline

03References

04Related CVE