CVE-2026-34969 Overview
CVE-2026-34969 is an Information Exposure vulnerability affecting Nhost, an open source Firebase alternative with GraphQL. Prior to version 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. This design flaw causes refresh tokens to be logged in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs, potentially exposing sensitive authentication credentials to unintended parties.
Critical Impact
Refresh tokens placed in URLs may be inadvertently logged across multiple infrastructure components, potentially allowing token theft from browser history, server logs, HTTP headers, or CDN logs.
Affected Products
- Nhost Auth Service versions prior to 0.48.0
- Nhost OAuth provider callback implementations
- Applications using Nhost's OAuth authentication flow
Discovery Timeline
- April 6, 2026 - CVE-2026-34969 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34969
Vulnerability Analysis
This vulnerability represents a sensitive information exposure issue (CWE-200) in Nhost's authentication service. The OAuth provider callback flow improperly handles refresh tokens by placing them directly into redirect URLs as query parameters rather than using more secure transport mechanisms.
When a user authenticates via an OAuth provider, the refresh token is appended to the callback URL. This creates multiple vectors where the sensitive token could be exposed. While the refresh token is one-time use and the leak vectors are on owned infrastructure or services integrated by the application developer, the exposure still presents security concerns in multi-tenant or shared logging environments.
Root Cause
The root cause stems from an insecure design pattern in the OAuth callback implementation. Instead of transmitting the refresh token through secure channels such as HTTP-only cookies or POST body parameters, the authentication service appends the token to the URL query string. This violates OAuth 2.0 security best practices, which recommend against placing sensitive tokens in URLs due to the inherent logging and caching behaviors of web infrastructure.
Attack Vector
The attack vector is network-based and requires specific conditions to be exploited. An attacker would need access to one of the following leak vectors to obtain the refresh token:
- Browser History Access - Direct access to the user's browser could reveal the token in browsing history
- Server Access Logs - Web servers typically log full request URLs, including query parameters
- HTTP Referer Headers - If the user navigates to an external link from the callback page, the Referer header may contain the full URL with the token
- Proxy/CDN Logs - Intermediate proxies and CDN services may log request URLs
The vulnerability requires user interaction and specific access to logging infrastructure, limiting the attack surface primarily to insider threats or compromised logging systems.
Detection Methods for CVE-2026-34969
Indicators of Compromise
- Unusual access patterns to server logs or browser history data
- Evidence of log scraping activities targeting OAuth callback URLs
- Unauthorized token usage from unexpected IP addresses or user agents
- Multiple failed authentication attempts using expired or revoked refresh tokens
Detection Strategies
- Monitor server access logs for unusual queries targeting OAuth callback endpoints
- Implement log access auditing to detect unauthorized log file access
- Review CDN and proxy configurations for excessive URL logging
- Analyze authentication patterns for tokens used from unexpected sources
Monitoring Recommendations
- Enable detailed authentication logging to track refresh token usage patterns
- Implement alerts for refresh token reuse attempts (tokens are one-time use)
- Monitor for bulk log exports or unusual log query patterns
- Review Referer header policies and Content Security Policy configurations
How to Mitigate CVE-2026-34969
Immediate Actions Required
- Upgrade Nhost to version 0.48.0 or later immediately
- Review server access logs to identify any potential token exposure
- Rotate any refresh tokens that may have been logged prior to the upgrade
- Audit CDN and proxy configurations to remove or redact sensitive URL parameters from logs
Patch Information
This vulnerability is fixed in Nhost version 0.48.0. The fix modifies the OAuth callback flow to transmit refresh tokens through more secure mechanisms rather than URL query parameters. Organizations should upgrade to version 0.48.0 or later to remediate this vulnerability. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Implement log scrubbing rules to redact refresh tokens from all logging systems
- Configure CDN and proxy services to exclude query parameters from URL logging
- Review and restrict access to server access logs and browser history data
- Consider implementing a Referrer-Policy header to prevent token leakage via Referer headers
# Example: Configure Nginx to remove sensitive query parameters from access logs
log_format sanitized '$remote_addr - $remote_user [$time_local] '
'"$request_method $uri" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
# Apply sanitized log format to OAuth callback endpoint
access_log /var/log/nginx/oauth_access.log sanitized;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
