HighCVENVD — high/critical CVEs (rolling 7d)· 6 Apr 2026

CVE-2026-34969 — Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the…

Severity: High · Kind: Vulnerability

Plain-English summary on the way

We've ingested this item but haven't summarised it yet. Read the upstream advisory using the link below in the meantime — the AI summary will appear here once the next run completes.

From the source

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. Note that the refresh token is one-time use and all of these leak vectors are on owned infrastructure or services integrated by the application developer. This vulnerability is fixed in 0.48.0.

Vulnerability facts

CVE: CVE-2026-34969
CVSS: 7.5

Read the original advisory →← All threat intel

Was this useful?

00000Sign in to react

Plain-English summaries are AI-generated and reviewed for tone, not technical accuracy. For incident response, always rely on the original source linked above.