GHSA-6G38-8J4P-J3PR: Account Takeover via OAuth Email Verification Bypass in Nhost
Vulnerability ID: GHSA-6G38-8J4P-J3PR
CVSS Score: 9.3
Published: 2026-04-18
Nhost is vulnerable to a critical Improper Authentication flaw (CWE-287) that permits full account takeover. The vulnerability exists in the OAuth authentication flow, where multiple provider adapters fail to enforce email verification checks before automatically linking incoming external identities to existing local accounts.
TL;DR
A logic flaw in Nhost's OAuth implementation allows attackers to take over existing accounts by registering an unverified matching email address on third-party identity providers like Discord or Bitbucket.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-287
- Attack Vector: Network
- CVSS v4.0: 9.3
- Impact: Complete Account Takeover
- Exploit Status: Proof of Concept
- Authentication Required: None
Affected Systems
- Nhost Authentication Service
- Discord OAuth Adapter
- Bitbucket OAuth Adapter
- AzureAD OAuth Adapter
- EntraID OAuth Adapter
-
github.com/nhost/nhost: < 0.0.0-20260417112436-ec8dab3f2cf4 (Fixed in:
0.0.0-20260417112436-ec8dab3f2cf4)
Code Analysis
Commit: ec8dab3
Fix OAuth email verification bypass and introduce strict verification checks.
Mitigation Strategies
- Software Update
- Configuration Change
- Code Audit
Remediation Steps:
- Update the github.com/nhost/nhost package to a version containing commit ec8dab3f2cf46e1131ddaf893d56c37aa00380b2.
- If patching is not possible, disable the Discord, Bitbucket, AzureAD, and EntraID OAuth login methods in the Nhost configuration.
- Audit any custom-built OAuth provider adapters to ensure they correctly parse and enforce the external provider's email verification boolean flag.
References
- GitHub Advisory GHSA-6G38-8J4P-J3PR
- Official Fix Pull Request
- Fix Commit (ec8dab3)
- OSV Advisory Entry
Read the full report for GHSA-6G38-8J4P-J3PR on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)