CVE-2026-41574CRITICAL 9.8EPSS p43.9%

CVE-2026-41574CVE-2026-41574

Description

Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session. This issue has been patched in version 0.49.1.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.60% probability of exploitation · percentile 43.9% · 2026-06-19T12:03:05Z
Published2026-05-08
Last modified2026-05-13

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/nhost/nhost/commit/ec8dab3f2cf46e1131ddaf893d56c37aa00380b2
  2. https://github.com/nhost/nhost/pull/4162
  3. https://github.com/nhost/nhost/releases/tag/auth%400.49.1
  4. https://github.com/nhost/nhost/security/advisories/GHSA-6g38-8j4p-j3pr

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33221
CVE
CVE-2026-33175
CVE
CVE-2026-9092
CVE
CVE-2025-70948
CVE
CVE-2026-47655
CVE
CVE-2026-30967
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.