CVE-2026-34969

Name of the Vulnerable Software and Affected Versions: Nhost versions prior to 0.48.0

Description: Nhost's auth service OAuth provider callback flow includes the refresh token directly in the redirect URL as a query parameter. This can lead to exposure of the refresh token in browser history, server access logs, HTTP Referer headers, and proxy/CDN logs. The refresh token is one-time use, and these leak vectors are on infrastructure or services integrated by the application developer. The vulnerable code is located in services/auth/go/controller/sign in provider callback get.go within the signinProviderProviderCallback function (lines 257-261), where the refresh token is added as a query parameter to the redirect URL. The issue affects all OAuth provider flows (GitHub, Google, Apple, etc.).

Recommendations: Update to version 0.48.0 or later.