Description
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session. This issue has been patched in version 0.49.1.
Published: 2026-05-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nhost accepts an OAuth identity that claims an email address and trusts a boolean 'EmailVerified' supplied by the OAuth provider. Several provider adapters mistakenly set this flag to true—even when the email is unverified—allowing an attacker to present any email they want and have that email linked to a victim’s Nhost account. When the identities are merged, the attacker receives a fully authenticated session with the victim’s privileges. This vulnerability is a classic Authentication Bypass (CWE-287).

Affected Systems

The affected product is Nhost (an open‑source Firebase alternative using GraphQL) from the vendor nhost. All versions released before 0.49.1 contain the flaw; version 0.49.1 and later incorporate the fix.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires control over the OAuth flow—specifically, the attacker must obtain an OAuth token for an email that the provider claims is verified. With this token, the attacker can initiate a login to Nhost, causing the service to link the attacker’s unverified email to the target account. Appropriate prerequisites include use of an OAuth provider whose adapter fails to properly validate EmailVerified. The vulnerability can be exploited remotely over the internet and can lead to full account compromise.

Generated by OpenCVE AI on May 8, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Nhost to version 0.49.1 or later.
  • Verify that the OAuth provider adapters you use correctly handle the 'EmailVerified' flag and that unverified emails are not automatically accepted.
  • If feasible, enforce stricter rules within Nhost to reject OAuth identities with unverified emails or remove incorrectly linked identities from accounts.

Generated by OpenCVE AI on May 8, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6g38-8j4p-j3pr Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Nhost
Nhost nhost
Vendors & Products Nhost
Nhost nhost

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session. This issue has been patched in version 0.49.1.
Title Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nhost Nhost
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T23:25:43.790Z

Reserved: 2026-04-21T14:15:21.957Z

Link: CVE-2026-41574

cve-icon Vulnrichment

Updated: 2026-05-08T23:25:36.752Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T15:16:40.580

Modified: 2026-05-08T16:02:14.343

Link: CVE-2026-41574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:15:20Z

Weaknesses