CVE-2026-41574
OAuth Identity Linking Flaw in Nhost
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nhost | nhost | to 0.49.1 (exc) |
| nhost | nhost | 0.49.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to take over a victim's account by bypassing OAuth email verification, resulting in unauthorized access to personal and potentially sensitive data.
Such unauthorized account takeover can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over user identity verification and access to personal data.
Because the vulnerability enables silent account hijacking without victim interaction, it increases the risk of data breaches and unauthorized data processing, potentially causing non-compliance with these standards.
The patch introduced in version 0.49.1 enforces strict email verification before linking OAuth identities, mitigating the risk and helping maintain compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper email verification during OAuth identity linking in Nhost prior to version 0.49.1. Detection would focus on identifying OAuth sign-in attempts where unverified or improperly verified emails are linked to existing accounts.
Since the issue is in the application logic of Nhost's OAuth handling, network-level detection is challenging. However, you can monitor authentication logs for suspicious OAuth login events where multiple OAuth providers link to the same email without proper verification.
To detect exploitation attempts or vulnerable versions, you can check the Nhost version running on your system and audit OAuth provider adapter logs or authentication events for unusual account linking patterns.
Suggested commands include:
- Check Nhost version to confirm if it is prior to 0.49.1 (vulnerable):
- nhost --version
- Review authentication logs for OAuth sign-ins and account linking events, for example (assuming logs are in JSON format):
- grep 'OAuth' /var/log/nhost/auth.log | jq '.event, .email, .provider, .emailVerified'
- Look for OAuth login events where emailVerified is false or missing but the account linking still occurs.
- If you have access to the source or runtime environment, audit the OAuth provider adapter code or logs to verify if the email verification field is properly handled.
Ultimately, detection relies on application-level logging and monitoring of OAuth identity linking behavior, as the vulnerability is due to logic errors in email verification handling.
Can you explain this vulnerability to me?
This vulnerability exists in Nhost, an open source Firebase alternative with GraphQL, where prior to version 0.49.1, Nhost automatically linked an incoming OAuth identity to an existing account if the email addresses matched, without properly verifying email ownership.
The problem is that several OAuth provider adapters did not correctly verify if the email was truly verified by the provider. Some providers either ignored the verified email field (Discord), accepted unconfirmed emails as verified (Bitbucket), or derived the email from fields that do not prove ownership (AzureAD, EntraID).
As a result, an attacker could present an email they do not own, have their OAuth identity merged into a victim's account, and gain full authenticated access to that account.
How can this vulnerability impact me? :
This vulnerability can lead to a full account takeover by an attacker without any victim interaction.
An attacker can link an OAuth identity with an unverified email to a victim's existing Nhost account if the email addresses match, gaining a fully authenticated session.
This allows the attacker to disable other login methods and permanently lock out the legitimate account owner.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade Nhost to version 0.49.1 or later, where the issue has been patched.
The patch introduces a strict three-state email verification system and enforces that only explicitly verified emails from OAuth providers can be linked to existing accounts.
Additionally, ensure that your OAuth provider adapters are updated to properly validate the email verification status and that unsafe fallbacks (such as using non-ownership-proving fields) are removed.
Review your authentication flows to confirm that the guard clause (`ensureProviderLinkAllowed`) is in place to prevent linking unverified OAuth identities.