CVE-2026-46342 Overview
CVE-2026-46342 is a hash validation flaw in Nuxt, an open-source web development framework for Vue.js. The /__nuxt_island/* endpoint accepts attacker-controlled props from query or body parameters and renders any island component. The URL-resident hash (<Name>_<hashId>.json) is computed and embedded client-side by <NuxtIsland> but never validated server-side. The same path can therefore return materially different responses depending on the supplied query. The issue is tracked under [CWE-79] and affects both the core nuxt package and @nuxt/nitro-server.
Critical Impact
Attackers can force the island endpoint to render arbitrary components with attacker-supplied props, enabling reflected content injection through a trusted Nuxt route.
Affected Products
- Nuxt versions 3.1.0 to before 3.21.6
- Nuxt versions 4.0.0-alpha.1 to before 4.4.6
- @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6
Discovery Timeline
- 2026-06-12 - CVE-2026-46342 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-46342
Vulnerability Analysis
Nuxt exposes the /__nuxt_island/* endpoint to support server-rendered island components. The endpoint URL embeds a hash in the format <Name>_<hashId>.json that is generated by the <NuxtIsland> client component based on the component name and its props.
The server treats this hash as informational only. It does not recompute or verify the hash against the actual props received in the query string or request body. As a result, an attacker can request a known island path while substituting their own props parameter values, and the server will render the island with those attacker-controlled inputs.
Because island components frequently render user-supplied data into HTML, this behavior introduces a reflected cross-site scripting [CWE-79] surface on a route that developers assume is internal and integrity-protected.
Root Cause
The root cause is missing server-side validation of the integrity token. The hash is computed and embedded client-side, but the Nitro handler for /__nuxt_island/* accepts any combination of path hash and props without verifying that the hash was issued for those specific inputs.
Attack Vector
Exploitation requires network access to a Nuxt application and user interaction with an attacker-crafted link. The adversary identifies a valid island path from the target application, then appends or replaces the props query parameter with malicious values. When a victim loads the URL, the server renders the island with those props and returns the response under the application's origin.
No authentication is required. See the GitHub Security Advisory GHSA-g8wj-3cr3-6w7v and the GitHub Pull Request Discussion for technical details. No verified public proof-of-concept code is available.
Detection Methods for CVE-2026-46342
Indicators of Compromise
- Requests to /__nuxt_island/* with unusual or oversized props query or body parameters.
- Mismatches between the <Name>_<hashId>.json segment of the URL and the contents of the props parameter across recorded requests.
- Island endpoint responses containing reflected attacker-controlled strings, script fragments, or HTML attributes.
Detection Strategies
- Inspect web access logs for /__nuxt_island/ requests where props contains HTML metacharacters such as <, >, or javascript:.
- Correlate referer headers and client IPs that issue island requests with props values that diverge from those emitted by your own pages.
- Run application-layer fuzzing against /__nuxt_island/* paths in staging to confirm whether the server enforces hash-to-props binding.
Monitoring Recommendations
- Forward Nuxt and reverse proxy logs to a SIEM and alert on anomalous props payloads against the island route.
- Track the version of nuxt and @nuxt/nitro-server deployed in each environment to confirm fixed releases are in use.
- Enable Content Security Policy reporting to catch reflected script execution originating from island responses.
How to Mitigate CVE-2026-46342
Immediate Actions Required
- Upgrade nuxt to version 3.21.6 or 4.4.6, and upgrade @nuxt/nitro-server to the matching patched release.
- Audit existing island components for output that interpolates props into HTML without escaping.
- Restrict or deny direct external access to /__nuxt_island/* at the edge until patched builds are deployed.
Patch Information
The maintainers fixed the issue in Nuxt 3.21.6 and 4.4.6, and in @nuxt/nitro-server3.21.6 and 4.4.6. The patched releases validate the URL-resident hash against the supplied props server-side before rendering. Refer to the GitHub Security Advisory GHSA-g8wj-3cr3-6w7v and the associated pull request for the fix details.
Workarounds
- Place a reverse proxy rule that blocks requests to /__nuxt_island/* when the props parameter contains HTML control characters.
- Enforce a strict Content Security Policy that disallows inline scripts to limit the impact of reflected output.
- Disable server-rendered islands in affected applications until upgrade is possible, if the feature is not in use.
# Configuration example: upgrade Nuxt to a patched release
npm install nuxt@^3.21.6
# or for the 4.x line
npm install nuxt@^4.4.6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
