CVE-2026-34969
Published: 06 April 2026
Summary
CVE-2026-34969 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Nhost Nhost\/Auth. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AU-9 (Protection of Audit Information).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates protecting authenticator content from unauthorized disclosure and modification, directly preventing placement of refresh tokens in loggable redirect URL query parameters.
AU-9 protects audit information from unauthorized access, modification, and deletion, mitigating exposure of refresh tokens captured in server access logs, Referer headers, and proxy/CDN logs.
SC-28 protects the confidentiality of information at rest using cryptographic or other mechanisms, safeguarding refresh tokens stored in log files from unauthorized disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes an OAuth refresh token (an application access token) directly in redirect URL query parameters, making it retrievable from server logs, browser history, Referer headers, and proxy logs. This directly facilitates T1528 Steal Application Access Token by allowing unauthorized retrieval without additional privileges.
NVD Description
Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser…
more
history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0.
Deeper analysisAI
CVE-2026-34969 is a vulnerability in Nhost, an open source Firebase alternative with GraphQL support, affecting versions prior to 0.48.0. In the auth service's OAuth provider callback flow, the refresh token is placed directly into the redirect URL as a query parameter. This exposes the token to logging in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-598 (Use of GET Request Method with Sensitive Query Strings), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
The vulnerability can be exploited by any attacker with access to the affected logs on the application's owned infrastructure or developer-integrated services, requiring no privileges or user interaction. Successful exploitation allows retrieval of the refresh token, enabling potential unauthorized access to the associated account, though the token is one-time use, limiting repeated exploitation without further compromise of the logging systems.
Nhost has addressed the issue in version 0.48.0. Additional details on the vulnerability and mitigation are available in the GitHub security advisory at https://github.com/nhost/nhost/security/advisories/GHSA-g2qj-prgh-4g9r.
Details
- CWE(s)