External risk intelligence

Nhost authentication can be hijacked allowing attackers full account access

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-41574

Nhost authentication is broken, letting attackers steal user accounts by linking their own email via flawed login methods. Update Nhost immediately to prevent unauthorized access to sensitive data.

5Halo Surface Signal

Authentication Bypass

Nhost\/auth

before 0.49.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-41574

The vulnerability exists within an authentication service responsible for OAuth identity linking. This component acts as a public-facing login gateway for web applications, requiring internet reachability to facilitate user sign-in. As an identity portal and authentication endpoint, this service is designed to be accessible from the public internet in all standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-41574

Yes

CVE-2026-41574 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows attackers to impersonate users in Nhost by linking unverified email addresses during OAuth authentication, which could impact systems processing payment card information.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This Nhost vulnerability allows an attacker to link an unverified email address to an existing account. This could enable them to gain authenticated access to another user's account without proper verification.

  • Unauthenticated access to accounts.
  • Compromised user data and sessions.
  • Attackers can exploit unverified emails.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by tricking a user into initiating an OAuth login with a provider where the email verification is flawed. This allows the attacker to associate their own email with the victim's Nhost account, gaining authenticated access. The attacker needs no prior access, just the ability to prompt a user through a specific OAuth flow.

  • Unauthenticated attacker target.
  • Flawed OAuth provider adapters.
  • Victim must initiate login.

Live Threat

Current exploitation, exposure, and threat context

Attackers will find this vulnerability attractive due to its potential for account takeover, allowing them to impersonate users by linking their own OAuth identity to an existing account. The ease of exploitation, requiring only an email address and the ability to manipulate OAuth provider responses, makes it a compelling target for automated attacks or targeted campaigns. This vulnerability impacts the core authentication mechanism, creating a direct path to unauthorized access.

  • Exploitable via OAuth identity linking.
  • Allows unauthorized account access.
  • Affects authentication flow.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Nhost versions prior to 0.49.1 immediately due to the critical risk of unauthorized account access. If patching is delayed, isolate affected services to prevent exploitation.

  • Upgrade Nhost to version 0.49.1.
  • Block suspicious OAuth login attempts.
  • Monitor for account takeovers.

Frequently asked questions

What is Nhost and what is it used for?

Nhost is an open-source alternative to Firebase that provides backend services, including authentication and a GraphQL API, for web applications. It helps developers build and manage applications more efficiently.

What kind of weakness does CVE-2026-41574 represent?

CVE-2026-41574 is an improper authentication vulnerability (CWE-287). It means that Nhost incorrectly verifies the identity of users during the OAuth login process, allowing attackers to link an unverified email to an existing account.

How can an attacker exploit this Nhost vulnerability?

An attacker can exploit this by presenting an email they control during an OAuth login process. If the OAuth provider adapter in Nhost incorrectly reports the email as verified, the attacker's email can be linked to a victim's Nhost account, granting the attacker access. The vulnerability is *not* triggered if the email verification is handled correctly by the OAuth provider.

Who should be concerned about this CVE?

Anyone running Nhost, especially versions prior to 0.49.1, should be concerned. Because Nhost is used for authentication and can be internet-facing, this vulnerability poses a significant risk of account takeover for users.

What is the first step to respond to this CVE?

The immediate and most critical step is to upgrade Nhost to version 0.49.1 or later, as this version includes the fix for the vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified