CVE-2026-34200 Overview
CVE-2026-34200 is a Missing Authentication vulnerability affecting the Nhost CLI MCP server, an open source Firebase alternative with GraphQL. When the MCP server is explicitly configured to listen on a network port (a non-default configuration), it applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials.
Critical Impact
Attackers can exploit missing authentication and CORS enforcement to gain unauthorized access to privileged developer tools and locally configured credentials through malicious cross-origin requests.
Affected Products
- Nhost CLI versions prior to 1.41.0
- Nhost MCP Server with network port binding enabled (non-default configuration)
Discovery Timeline
- 2026-03-31 - CVE-2026-34200 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34200
Vulnerability Analysis
The vulnerability stems from CWE-306 (Missing Authentication for Critical Function). When the Nhost CLI MCP server is explicitly configured with the --bind flag to listen on a network port, it fails to implement any authentication mechanism for inbound connections. Additionally, the server does not enforce strict Cross-Origin Resource Sharing (CORS) policies.
This combination allows an attacker-controlled website to make cross-origin HTTP requests to the locally running MCP server. Since no authentication is required and CORS restrictions are not properly enforced, the malicious site can successfully invoke privileged server functions. These operations execute with the permissions of the developer's locally configured credentials, potentially exposing sensitive development resources and capabilities.
It's important to note that this vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected, which significantly limits the attack surface to developers who have manually enabled network port binding.
Root Cause
The root cause is the absence of authentication middleware and improper CORS configuration in the MCP server when bound to a network port. The server was designed primarily for local stdio-based communication and lacked the necessary security controls for network-exposed operation. The --bind flag functionality was implemented without corresponding authentication and CORS enforcement mechanisms.
Attack Vector
The attack requires the victim developer to have configured the MCP server to bind to a network port. Once exposed, an attacker can craft a malicious webpage that, when visited by the victim in their browser, executes JavaScript to send cross-origin requests to the MCP server running on localhost. Since the server lacks authentication and proper CORS enforcement, these requests succeed and execute privileged operations using the developer's credentials.
The security patch removes the network binding capability entirely to eliminate this attack surface:
const (
flagNhostAuthURL = "nhost-auth-url"
flagNhostGraphqlURL = "nhost-graphql-url"
- flagBind = "bind"
)
const (
Source: GitHub Commit
The fix completely removes the --bind flag option, ensuring the MCP server can only operate via stdio and cannot be exposed to network-based attacks.
Detection Methods for CVE-2026-34200
Indicators of Compromise
- Unexpected network connections to local MCP server ports from browser processes
- Cross-origin HTTP requests targeting localhost ports associated with Nhost MCP server
- Unusual GraphQL operations or API calls originating from web browser contexts
- Log entries showing privileged tool invocations without corresponding developer activity
Detection Strategies
- Monitor for processes listening on network ports with the nhost CLI executable
- Audit developer workstations for Nhost CLI configurations that include the --bind flag
- Implement network traffic analysis to detect cross-origin requests to localhost development services
- Review browser network logs for suspicious requests to local development server endpoints
Monitoring Recommendations
- Deploy endpoint detection to alert on Nhost CLI processes with network socket bindings
- Configure firewall rules to block external access to common development server ports
- Implement browser-based security controls to detect and block suspicious localhost requests
- Establish baseline developer tool configurations and alert on deviations
How to Mitigate CVE-2026-34200
Immediate Actions Required
- Upgrade Nhost CLI to version 1.41.0 or later immediately
- Audit existing Nhost CLI configurations for usage of the --bind flag
- Stop any running MCP server instances configured with network port binding
- Review access logs for any suspicious activity that may indicate prior exploitation
Patch Information
The vulnerability has been patched in Nhost CLI version 1.41.0. The fix removes the ability to bind the MCP server to a network port entirely, eliminating the attack vector. Users should update to the patched version as soon as possible. For detailed patch information, see the GitHub Security Advisory and the associated pull request.
Workarounds
- Immediately stop using the --bind flag with the MCP server command
- Use the default stdio-based communication instead of network port binding
- If network binding is required, implement a reverse proxy with authentication in front of the MCP server
- Restrict browser access on development machines to prevent visiting untrusted websites while MCP server is running
# Use the default (secure) configuration
nhost mcp start
# Avoid the vulnerable configuration (do not use)
# nhost mcp start --bind 0.0.0.0:8080 # INSECURE - do not use
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
