PT-2026-41806 · Go · Github.Com/Nhost/Nhost
Published
2026-05-08
·
Updated
2026-05-08
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Description
When a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the
ChangePassword workflow correctly hashes and persists the new password via UpdateUserChangePassword. However, it does not revoke existing sessions. The auth.refresh tokens and auth.oauth2 refresh tokens tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.This vulnerability affects all password change paths (handled in [
change user password.go](https://github.com/nhost/nhost/blob/main/services/auth/go/controller/change user password.go)), since they share the same underlying workflow:- Authenticated password change via the Nhost dashboard or client SDK
- Ticket-based password reset (magic links / recovery flows)
- OAuth2/OIDC sessions managed via
auth.oauth2 refresh tokens
Attack Scenario
- An attacker steals a victim's refresh token via XSS or a compromised device.
- The victim changes their password, expecting it to terminate all active sessions.
- The server updates
password hashbut performs no session cleanup, the stolen token remains fully functional.
Impact
The attacker retains persistent access even after the victim's password change. This is especially severe in credential theft scenarios, where the victim's only recovery action does nothing against an active session. Depending on configured TTL, the attacker's window could be days or weeks.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Nhost/Nhost