CVE-2026-34200
Unauthorized Cross-Origin Access in Nhost CLI MCP Server
Publication date: 2026-03-31
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nhost | cli | to 1.41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Nhost CLI MCP server allows unauthorized cross-origin requests to invoke privileged tools using the developer's locally configured credentials when the server is explicitly bound to a network port without inbound authentication and strict CORS enforcement.
This can lead to unauthorized access and modification of local development data and, if cloud credentials are configured, exfiltration or mutation of cloud project data including destructive operations such as raw SQL migrations or table drops.
Such unauthorized access and potential data breaches could violate common standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and protection against unauthorized data exposure or modification.
The vulnerability arises only under non-default configurations that expose the MCP server on a network port without authentication, increasing the risk of data compromise and non-compliance with data protection requirements.
The patch removes the ability to bind the MCP server to a network port, forcing it to operate only over stdio, thereby mitigating the risk of unauthorized network access and helping maintain compliance with security and privacy standards.
Can you explain this vulnerability to me?
CVE-2026-34200 is a vulnerability in the Nhost CLI MCP server prior to version 1.41.0. When the MCP server is explicitly configured to listen on a network port using the `--bind` flag, it applies no inbound authentication and does not enforce strict CORS policies. This allows a malicious website visited on the same machine to send cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials.
The vulnerability requires two explicit, non-default configuration steps to be exploitable: starting the MCP server with network binding enabled and configuring cloud credentials. By default, the MCP server binds to standard input/output (stdio) and is not exposed on the network, so the default configuration is not affected.
Technically, the server uses permissive CORS headers (`Access-Control-Allow-Origin: *`) and does not strictly validate the `Content-Type` header on JSON-RPC requests, allowing cross-origin POST requests with `Content-Type: text/plain` to bypass CORS preflight checks. This enables attackers to execute privileged commands remotely via the bound network port.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions using the developer's credentials if the MCP server is bound to a network port and cloud credentials are configured.
- Attackers can execute GraphQL queries and mutations on Nhost Cloud using the developer’s Personal Access Token.
- Attackers can execute GraphQL queries on the configured project, including setting arbitrary roles and user IDs.
- Attackers can access Hasura metadata and migration endpoints, enabling raw SQL execution, table drops, and permission changes.
The impact includes reading or modifying local development project data, exfiltrating or mutating cloud project data, and executing destructive operations such as raw SQL migrations or table drops. However, the impact is limited to the developer’s configured project and does not affect other developers or projects.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Nhost CLI MCP server is running with the non-default `--bind` flag, which binds the server to a network port without inbound authentication.
To detect this on your system, you can look for running MCP server processes that include the `--bind` option or check network ports for MCP server listeners.
- Use a command like `ps aux | grep 'nhost mcp start'` to see if the MCP server is started with the `--bind` flag.
- Use `netstat -tuln | grep <port>` or `ss -tuln | grep <port>` to check if the MCP server is listening on a TCP port (replace `<port>` with the suspected port number).
- Check the MCP server configuration for any explicit network binding settings.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, avoid using the `--bind` flag when starting the Nhost CLI MCP server.
Ensure the MCP server runs with its default configuration, which binds it to standard input/output (stdio) and does not expose it on any network ports.
Upgrade the Nhost CLI to version 1.41.0 or later, where the `--bind` flag has been removed and the MCP server cannot be bound to a network port.
- Remove any explicit `--bind` usage in your start commands, e.g., change `nhost mcp start --bind localhost:8080` to simply `nhost mcp start`.
- Apply the patch or update that removes the `--bind` flag and restricts the MCP server to stdio communication only.