CVE-2026-41574
Undergoing Analysis Undergoing Analysis - In Progress
OAuth Identity Linking Flaw in Nhost

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session. This issue has been patched in version 0.49.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41574
EUVD
EUVD-2026-28650
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nhost nhost to 0.49.1 (exc)
nhost nhost 0.49.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Nhost, an open source Firebase alternative with GraphQL, where prior to version 0.49.1, Nhost automatically linked an incoming OAuth identity to an existing account if the email addresses matched, without properly verifying email ownership.

The problem is that several OAuth provider adapters did not correctly verify if the email was truly verified by the provider. Some providers either ignored the verified email field (Discord), accepted unconfirmed emails as verified (Bitbucket), or derived the email from fields that do not prove ownership (AzureAD, EntraID).

As a result, an attacker could present an email they do not own, have their OAuth identity merged into a victim's account, and gain full authenticated access to that account.

Compliance Impact

This vulnerability allows an attacker to take over a victim's account by bypassing OAuth email verification, resulting in unauthorized access to personal and potentially sensitive data.

Such unauthorized account takeover can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over user identity verification and access to personal data.

Because the vulnerability enables silent account hijacking without victim interaction, it increases the risk of data breaches and unauthorized data processing, potentially causing non-compliance with these standards.

The patch introduced in version 0.49.1 enforces strict email verification before linking OAuth identities, mitigating the risk and helping maintain compliance with these regulations.

Detection Guidance

This vulnerability involves improper email verification during OAuth identity linking in Nhost prior to version 0.49.1. Detection would focus on identifying OAuth sign-in attempts where unverified or improperly verified emails are linked to existing accounts.

Since the issue is in the application logic of Nhost's OAuth handling, network-level detection is challenging. However, you can monitor authentication logs for suspicious OAuth login events where multiple OAuth providers link to the same email without proper verification.

To detect exploitation attempts or vulnerable versions, you can check the Nhost version running on your system and audit OAuth provider adapter logs or authentication events for unusual account linking patterns.

Suggested commands include:

  • Check Nhost version to confirm if it is prior to 0.49.1 (vulnerable):
  • nhost --version
  • Review authentication logs for OAuth sign-ins and account linking events, for example (assuming logs are in JSON format):
  • grep 'OAuth' /var/log/nhost/auth.log | jq '.event, .email, .provider, .emailVerified'
  • Look for OAuth login events where emailVerified is false or missing but the account linking still occurs.
  • If you have access to the source or runtime environment, audit the OAuth provider adapter code or logs to verify if the email verification field is properly handled.

Ultimately, detection relies on application-level logging and monitoring of OAuth identity linking behavior, as the vulnerability is due to logic errors in email verification handling.

Impact Analysis

This vulnerability can lead to a full account takeover by an attacker without any victim interaction.

An attacker can link an OAuth identity with an unverified email to a victim's existing Nhost account if the email addresses match, gaining a fully authenticated session.

This allows the attacker to disable other login methods and permanently lock out the legitimate account owner.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade Nhost to version 0.49.1 or later, where the issue has been patched.

The patch introduces a strict three-state email verification system and enforces that only explicitly verified emails from OAuth providers can be linked to existing accounts.

Additionally, ensure that your OAuth provider adapters are updated to properly validate the email verification status and that unsafe fallbacks (such as using non-ownership-proving fields) are removed.

Review your authentication flows to confirm that the guard clause (`ensureProviderLinkAllowed`) is in place to prevent linking unverified OAuth identities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart