CVE-2026-34200
HIGH
7,7
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: passive
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication and does not enforce strict CORS. This allows a malicious website visited on the same machine to issue cross-origin requests to the MCP server and invoke privileged tools using the developer's locally configured credentials. This vulnerability requires two explicit, non-default configuration steps to be exploitable. The default nhost mcp start configuration is not affected. This issue has been patched in version 1.41.0.
306
Missing Authentication for Critical Function
DraftCommon Consequences
Security Scopes Affected:
Access Control
Other
Potential Impacts:
Gain Privileges Or Assume Identity
Varies By Context
Applicable Platforms
Technologies:
Cloud Computing, ICS/OT
942
Permissive Cross-domain Security Policy with Untrusted Domains
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Access Control
Potential Impacts:
Execute Unauthorized Code Or Commands
Bypass Protection Mechanism
Read Application Data
Varies By Context
Applicable Platforms
Technologies:
Web Based, Web Server
https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2
https://github.com/nhost/nhost/commit/15eae9285f9dce63e184b9bb24616474ffa5ccc9
https://github.com/nhost/nhost/pull/4060
https://github.com/nhost/nhost/security/advisories/GHSA-6c5x-3h35-vvw2